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Abstract 

Coercion resistance is an important and one of the most intri- 
cate security requirements of electronic voting protocols. Several 
definitions of coercion resistance have been proposed in the liter- 
ature, including definitions based on symbolic models. However, 
existing definitions in such models are rather restricted in their 
scope and quite complex. 

In this paper, we therefore propose a new definition of co- 
ercion resistance in a symbolic setting, based on an epistemic 
approach. Our definition is relatively simple and intuitive. It 
allows for a fine-grained formulation of coercion resistance and 
can be stated independently of a specific, symbolic protocol and 
adversary model. As a proof of concept, we apply our defini- 
tion to three voting protocols. In particular, we carry out the 
first rigorous analysis of the recently proposed Civitas system. 
We precisely identify those conditions under which this system 
guarantees coercion resistance or fails to be coercion resistant. 
We also analyze protocols proposed by Lee et al. and Okamoto. 
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K*" 1 Introduction 

X . . . 

^ ' Coercion resistance is one of the most important and intri- 
5^ , cate security requirements of voting protocols [23,33]. Intu- 
itively, a voting protocol is coercion resistant if it prevents 
voter coercion and vote buying. In other words, a coercer 
should not be able to influence the behavior of a voter. A 
notion closely related to coercion resistance, but somewhat 
weaker is receipt freeness, first proposed in [8]. 

Most voting schemes and systems that aim to achieve 
coercion resistance or receipt freeness come without a rig- 
orous security proof. Maybe not surprisingly, some of these 
protocols have been found to be flawed (see, e.g., discus- 
sions in [32] and [19]). The lack of proofs is partly due 
to the fact that only recently first formal definitions of co- 
ercion resistance and receipt freeness have been proposed 
in the literature, both based on cryptographic and sym- 
bolic models [4,13,17,21-23,31]. With "cryptographic mod- 
els" we mean models in which messages are modeled as bit 
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strings and adversaries are probabilistic polynomial time 
Turing machines. In contrast, symbolic models take a more 
abstract view on cryptography. In this paper, our focus 
will be on symbolic models. While security guarantees in 
cryptographic models are typically stronger than in sym- 
bolic models, security proofs in cryptographic models are 
usually very involved, and as a result, often omitted or 
only sketched. For electronic voting protocols, which are 
among the most complex security protocols, this is even 
more so (see, e.g., [8,14,19,23,28,33,34]). Conversely, secu- 
rity proofs in symbolic models are easier to carry out and 
they are more amenable to tool support. Research on secu- 
rity protocol analysis has demonstrated that, while not all, 
but many attacks on security protocols can be uncovered 
and prevented by means of symbolic protocol analysis (see, 
e.g., [3,7,9,10,12,26,30]). In some cases, security guar- 
antees established in symbolic models even imply security 
in cryptographic models (see, e.g., [2,15,29]). Hence, sym- 
bolic models certainly have their merits for security protocol 
analysis, including the analysis of voting protocols. 

However, the definitions of coercion resistance in sym- 
bolic models proposed in the literature thus far are rather 
restricted in scope, yet quite complex and not always intu- 
itive (see Section [7] for a detailed discussion). 

Contribution of this paper. One of the main contri- 
butions of this paper is to provide a general, yet intuitive 
and simple definition of coercion resistance. Our definition 
follows an epistemic approach. It is formulated in a model- 
independent way. In particular, it can be instantiated by 
different symbolic models. While the focus of this work is 
on voting protocols, our definition may be applicable be- 
yond this domain. 

In order to analyze concrete voting protocols, we instan- 
tiate our framework by a rather standard symbolic model. 
Within our model, we prove several general statements, 
which underline the adequacy of our model and which have 
not been proven in other symbolic models. Among oth- 
ers, we show that coercion resistance w.r.t. a single coerced 
voter implies coercion resistance w.r.t. multiple coerced vot- 
ers. 
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As a proof of concept, we analyze coercion resistance of 
three voting protocols: the recently proposed voting system 
Civitas [14], a voting protocol by Lee et al. [28] and one by 
Okamoto [33]. As to the best of our knowledge, Civitas 
and the scheme by Okamoto have not been rigorously ana- 
lyzed before. Our modeling, in particular of Civitas, is quite 
detailed and goes beyond the level of detail considered in 
other works. For example, for Civitas we model dishonest 
authorities and the zero-knowledge proofs authorities have 
to provide to prove their compliance with the protocol. We 
precisely identify those conditions under which coercion re- 
sistance is guaranteed and point out situations in which 
the protocols do not provide coercion resistance, thereby 
relativizing previous claims and providing new insights into 
and improvements of the protocols. The analyzes of the 
example protocols illustrate that our definition of coercion 
resistance allows to specify various degrees of coercion re- 
sistance in a fine-grained way. Without this flexibility of 
our definition, no reasonable statement about the coercion 
resistance of voting protocols would be possible as every 
protocol builds on its own assumptions and provides spe- 
cific security guarantees. 

Structure of this paper. In the following section, we 
present our definition of coercion resistance. A concrete in- 
stantiation of this definition is provided in Section [3l with 
general properties given in Section IH The analyzes of the 
three mentioned voting protocols are then presented in Sec- 
tions [5l m and Appendix |D] Related work is discussed in 
Section [71 We conclude in Section [8l More details and 
proofs can be found in the appendix. 

2 Defining Coercion Resistance 

In this section, we present our definition of coercion resis- 
tance in an epistemic framework, independent of a specific, 
symbolic protocol or adversary model. A concrete instanti- 
ation will be considered in Section [S] 

Our definition of coercion resistance is based on what we 
call a coercion system. A coercion system will be induced 
by a voting protocol (see Section [3|) . It emphasizes in an 
abstract way those parts relevant for defining coercion re- 
sistance, without the need to consider details of a protocol 
and adversary model. More intuition is provided following 
the next definition. 

Definition 1. A coercion system is a tuple S = 
{R,V,C,E,r,^), where i? is a set of runs, V, C, and E 
are sets of possible programs of coerced voters, the coercer, 
and the environment, respectively, r is a mapping which as- 
signs a set r{v,c,e) C R of runs induced by {v, c, e) to each 
tuple {v,c,e) GV xC X E, and ^ is an equivalence relation 
on the set R, which determines the view of a coercer on a 
run. 

A coercion system determines the possible behaviors of 
coerced voters, the coercer, and the environment. The en- 
vironment is the part of the system controlled neither by 



the coercer nor by the coerced voter. The environment 
typically describes the possible behaviors of honest entities, 
such as honest voters and authorities; dishonest voters and 
authorities will be subsumed by the coercer. The programs 
carried out by these honest entities will be determined by 
the voting protocol under consideration. However, the en- 
vironment typically does not fix up front how and if certain 
honest voters vote. It may also leave open the number of 
voters as well as how many of them and which voters are 
honest or dishonest. The set r{v,c, e) describes the possible 
runs obtained when the programs v, c, and e of the coerced 
voter, the coercer, and the environment, respectively, run 
together. A run is typically a sequence of configurations 
induced by the interaction of v, c, and e. However, for a 
general definition of coercion resistance it is not necessary 
to fix such details at this point. The reason that we do 
not define r(v, c, e) to be a single run is that a run of v, 
c, and e might involve some non-deterministic choices, e.g., 
non-deterministic scheduling of messages. The equivalence 
relation defines the view of the coercer. The intuition is 
that if two runs p and p' are equivalent w.r.t. ~, i.e., p p' , 
then the coercer has the same view in both runs. In other 
words, these runs look the same from the coercer's point of 
view. 

We can now turn to the definition of coercion resistance. 
For the following discussion, we concentrate on the case 
that only a single voter is coerced. The case of multi-voter 
coercion resistance is discussed later. 

Given a coercion system S — {R, V, C, E, r, ^), the idea 
behind our definition of coercion resistance is as follows: 

Our definition assumes that the coerced voter has a cer- 
tain goal 7 that he/she would try to achieve in absence of 
coercion. Formally, 7 is a subset of R, the set of runs of 
S. If, for example, 7 is supposed to express that the co- 
erced voter wants to vote for a certain candidate, then 7 
would contain all runs in which the coerced voter voted for 
this candidate and this vote is in fact counted. Jumping 
ahead, as we will see in the analysis of concrete protocols, 
often such a goal cannot be achieved. This is, for example, 
the case if ballots are sent over an unreliable channel or an 
election authority misbehaves in an observable way and as a 
result the election process is stopped. A more realistic goal 
7 would then be that the coerced voter successfully votes 
for a certain candidate, provided the voters ballot is deliv- 
ered in time and the election authority did not misbehave 
in an observable way. 

Now, in the definition of coercion resistance we imagine 
that the coercer provides the coerced voter with a program 
V G V (the coercion strategy), which the coercer wants the 
coerced voter to run, instead of the program the coerced 
voter would carry out when following the voting protocol. 
The program v might determine the candidate for which 
the coercer wants the coerced voter to vote for or might 
dictate the coerced voter not to vote (abstention attack). 
The choice of the candidate or whether or not the coerced 
voter should abstain from voting might even depend on the 
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course of the election process and the information that the 
coercer has gathered thus far. Such information can be 
gathered by the program v or might be given to the pro- 
gram by the coercer; in the most general setting, one as- 
sumes that the coercer can freely communicate with the 
program v, and by this, further influence and control the 
behavior of the coerced voter. Rather than directly manip- 
ulating the outcome of the election, the purpose of v might 
as well be to merely test whether the coerced voter follows 
the prescribed program v; for example, to find out whether 
this voter is "reliable" , and hence, is a good candidate for 
coercion in later elections. This illustrates that the inten- 
tions of the coercer are manifold and hard to predict. The 
set V should therefore contain all programs that a coercer 
could possibly give to a coerced voter. However, as shown 
in Section [4. H in a concrete communication model, it often 
suffices to consider just one program that simply forwards 
all messages from/to the coercer. Nevertheless, taking the 
set V into account only makes our definition more fiexible 
since different classes of coercion strategies can be specified. 

Our definition of coercion resistance requires that for all 
w e V^, there exists a program v' G V, the counter strategy^ 
that the coerced voter can run instead of v, such that (i) 
the voter always achieves his/her own goal 7 by running 
v' and (ii) the coercer does not know whether the coerced 
voter run v or v' . In other words, in every run in which the 
coerced voter run v, the coercer thinks, given his/her view 
of the run, that it is possible that the coerced voter run v' . 
Conversely, in every run in which the coerced voter run v' , 
the coercer thinks that it is possible that the coerced voter 
run V. So, the coercer cannot know whether the coerced 
voter followed the coercer's instructions (i.e., run v) or just 
tried to achieve his/her own goal (by running v'). If in 
some situations the coercer knew that the coerced voter 
run either v or v' , then the voter could be influenced: The 
coercer could give positive and/or negative incentives for 
running v/v', e.g., by offering money and/or threatening 
the coerced voter. 

The above leads to the following definition. The meaning 
of a is explained below. 

Definition 2. Let S = {R, V, C, E, r, ~) be a coercion sys- 
tem and a, 7 C R. The system S is coercion resistant in a 
w.r.t. 7, if for each v ^ V there exists v' € V such that the 
following conditions are satisfied. 

(i) For every c G C, e £ i?, and p G r(w, c, e) fl a, there 
exists e' G E and p' G r{v' , c, e') such that p ~ p' . 

(ii) For every c G C, e G -E, and p G r{v' , c, e) n a, there 
exists e' ^ E and p' G r(w, c, e') such that p ^ p' . 

(iii) For every c G C and e G -E, we have r{v' , c, e) C 7. 

Condition (iii) in the above definition directly captures 
that if the coerced voter runs the counter strategy v' , then 
independently of the actions of the coercer c and the en- 
vironment e, the coerced voter achieves his/her goal. To 
explain the conditions (i) and (ii), let us first ignore the 
set a. Then (i) says that, for every run p in which the 



coerced voter carries out v, there exists another run p' in 
which the coerced voter carries out v' such that the view of 
the coercer, who runs c in both runs, is the same. In other 
words, even though the coerced voter carried out v, from 
the coercer's point of view it is possible that the coerced 
voter carried out v' . The programs e and e' in (i) might, 
for example, differ in the way honest voters voted. So even 
though the coerced voter might not have voted in the way 
intended by the coercer, the coercer can not tell from the 
outcome of the election, as the coercer does not have com- 
plete knowledge about how everybody voted. Analogously, 
condition (ii) says that in every run in which the coerced 
voter run v' , the coercer thinks that it is possible that the 
coerced voter run v. Altogether (i) and (ii) say that the 
coercer never knows whether the coerced voter run v or v' . 

Now, let us discuss the purpose of a. The intuition is 
that a describes a property of the environment (which, as 
mentioned, includes the honest voters) in terms of a set of 
runs that satisfy this property. The set a typically includes 
almost all runs of the system, except for those that are un- 
likely to happen and would reveal to the coercer that the 
coerced voter is following v or v' . For example, a would 
typically not contain a run, say p, in which a certain candi- 
date, say a, does not get any vote from the honest voters. 
Indeed, to obtain a successful counter strategy, it is neces- 
sary to exclude such a run: Assume that the coercer wants 
the coerced voter to vote for a (hence, an appropriate v is 
given by the coercer to the coerced voter) . Also assume that 
the goal 7 of the coerced voter is to vote for a different can- 
didate, say b. Then in the run p from above, if the coerced 
voter ran the counter strategy w', the coercer would easily 
detect this fact: If after the election the coercer observes 
that there is no vote for a, the coercer can be sure that 
the coerced voter was not following the coercion strategy v. 
In other words, in Definition [2l if v' satisfies (iii), then (ii) 
cannot be satisfied, unless by a runs such as p are excluded. 
This example shows that without taking an appropriate a 
into account. Definition [2] would be too strong in almost all 
realistic settings. 

The example protocols analyzed in Sections [5l[6l and Ap- 
pendix |D] will further illustrate the usefulness and necessity 
of the parameters a and 7 of our definition of coercion resis- 
tance. These parameters allow to precisely capture under 
what conditions a protocol is coercion resistant, making for 
a quite fine-grained and general notion of coercion resis- 
tance. 

Definition [2] only stipulates the existence of a counter 
strategy w', given a coercion strategy v. However, it might 
in general not be easy to come up with v' given v. Fortu- 
nately, as already mentioned above, we can show that it is 
often suffices to come up with a counter strategy only for 
what we call a dummy coercion strategy, which merely for- 
wards messages to/from the coercer. Given such a counter 
strategy, one can, in a generic way, construct a counter 
strategy for any given coercion strategy (see Section [4T]) . 
We believe that the construction of a counter strategy from 
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a (dummy) coercion strategy should be part of the protocol 
specification, so that a voter knows how to defend against 
coercion (see also [31]). 

We note that Definition [5] captures coercion resistance in 
a possibilistic way. We do not consider probabilities. While 
Definition [2] requires that from the coercer's point of view 
it is always possible that the coerced voter run v, say, the 
definition does not talk about the probability for this to 
be the case. If this probability were low, the coercer could 
tend to believe that the coerced voter run v' . We leave 
a probabilistic/cryptographic version of our definition as 
future work. The analysis carried out in this work for the 
three voting protocols shows that already in a possibilistic 
setting non-trivial security guarantees can be proved and 
subtle vulnerabilities can be uncovered. 

While in Definition [5] only one goal of the coerced voter is 
considered, a protocol should of course be coercion resistant 
no matter what goal the coerced voter would like to achieve; 
for example, no matter which candidate the coerced voter 
would like to vote for. This is captured by the following 
generalization of Definition [2l 

Definition 3. Let S = {R, V, C, E, r, '^) be a coercion sys- 
tem and r be a set of goals, i.e. F is a set of subsets of R. 
Then S is coercion resistant in a w.r.t. F, if S is coercion 
resistant in a w.r.t. 7, for each 7 e F. 

Multi-voter coercion. So far, we had in mind that v and 
v' stand for programs carried out by a single coerced voter. 
Nevertheless, we can just as well think of v and v' as tuples 
of programs carried out by multiple coerced voters, where 
the tuples may be of varying length, depending on how 
many voters are coerced. In other words, our definition of 
coercion resistance directly carries over to the case of multi- 
voter coercion resistance, where multiple voters are coerced 
at the same time. However, the requirement "for all v there 
exists a v' such that ..." in the definition of coercion re- 
sistance then only means that a coerced voter can pick a 
counter strategy depending on all the programs in v. This 
is too weak. A coerced voter should be able to pick his /her 
counter strategy independently of other coerced voters; a 
coerced voter may in general not know who else is coerced 
and with whom he/she can (safely) collaborate. Therefore, 
for multi-voter coercion resistance, we replace the require- 
ment "for all V there exists a v' such that ..." by "there 
exists a function / which maps a coercion strategy for one 
voter to a counter strategy for one voter such that, for ev- 
ery tuple V of programs, v' = f{v) is a counter strategy 
such that . . . " , where f{v) means that / is applied to every 
single program in the tuple v. 

In Section [Ol we show that (a shght extension of) coer- 
cion resistance w.r.t. a single coerced voter implies multi- 
voter coercion resistance. So, to obtain multi- voter coercion 
resistance it suffices to consider the case of a single coerced 
voter. 



3 A Concrete Protocol and Adversary 
Model 

In this section, we instantiate the framework presented in 
the previous section by a concrete protocol and adversary 
model. Several instantiations are possible, including, for 
example, one based on I/O automata or process calcu- 
lus. For the sake of brevity, we pick a quite abstract one, 
in which computations are described by certain functions, 
called atomic processes. However, the results presented in 
the subsequent sections also carry over to other models. 
We note that these sections should be intelligible without 
the concrete protocol and adversary model presented in this 
section. 

3.1 Terms and messages 

Let E be some signature for cryptographic primitives (in- 
cluding a possibly infinite set of constants for represent- 
ing participant names, etc.), X = {xi,X2, . . . } be a set of 
variables, and fAt be an infinite set of nonces, where the 
sets S, X, and 91 are pairwise disjoint. For N C 91, the 
set T^v of terms over Y, U N and X is defined as usual. 
Ground terms, i.e., terms without variables, represent mes- 
sages. We assume some fixed equational theory associated 
with E and denote by = the congruence relation on terms 
induced by this theory. The exact definition of E and the 
equational theory will depend on the cryptographic primi- 
tives used in the voting protocol under consideration. For 
the voting protocols we analyze in Section \E\ [6l and Ap- 
pendix |D] quite involved signatures and equational theories 
will be considered, which, among others, allow to model ho- 
momorphic encryption and various kinds of zero knowledge 
proofs (designated-verifier reencryption proofs, distributed 
plaintext equivalence tests, etc.). A simple example of a 
signature Egj; and its associated equational theory is pro- 
vided in Figure [TJ A term of the form sigj,{m} represents a 
message m signed using the (private) key k. Checking va- 
lidity of such a signature is modeled by equation ([1]) . The 
fact that signatures do not necessarily hide the signed mes- 
sage is taken care of by equation ([2]) . A term of the form 
{^}pub(fc) represents the ciphertext obtained by encrypting 
X under the public key pub(fc) using randomness r. De- 
cryption of such a term using the corresponding private 
key k is modeled by equation ([3]). A term of the form 
{x,y) models the pairing of terms x and y. The compo- 
nents X and y of {x, y) can be extracted by applying the 
operators first(-) and sec(-), respectively, as modeled by the 
equations ([4]). Let denote the congruence relation in- 
duced by the equational theory in Figure [1] then we have 
that dec({a}^^j^(^,pfirst((fc,6))) =ex a. 

3.2 Event sequences and views 

Let Ch be a set of channels {channel names). An in- 
put/output event is of the form (c : m) and (c : m), re- 
spectively, for c £ Ch and a message m (note that c ^ Ch). 
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checksig(sigj.{m}, pub(fc)) 


= T 


(1) 


extractmsg(sig^{m}) 


= m 


(2) 


dec({x};;^bW,fc) 


= X 


(3) 


first((x,y)) = X, 5ec{{x,y}) 


= y 


(4) 



Figure 1: The cquational theory associated with the signa- 
ture Eex = {sig.{-}, (•,•),{•}:, T,checksig(-,-),extractmsg(-), 
first(-),sec(-)}.. 

A finite or infinite sequence of events is caUed an event se- 
quence. For an event sequence p = (ci : mi), (c2 : 1712), ■■ . 
of input events, we denote by chan{p) the sequence ci , C2 , . . . 
of channels. For C C Ch, we denote by pj^ the subsequence 
of p containing only the events (c : m) with c G C. 

Let T G Tat be a term. Then, with p as above, we 
denote by t[p] the message T[mi/xi,m2/x2, ■ ■ ■], where 
Xi is replaced by rm. (Recall that the set of variables 
is X = {xi,X2, ■ ■ ■}■) For example, assume that Tgx = 
dec(a;i,first(a;2)) and pex = (ci : {a}pub(fe))' ("=2 : {k,b}). 
Then Tex[pex] = dec({a}j;^j,(j.),first((fc,6))) =ex a. 

Borrowing the notion of static equivalence from [1], we 
call two event sequences p and p' of input events statically 
equivalent w.r.t. a setC C. Ch of channels and a set N C {\[ 
of nonces, written p =^ p' , if (i) chan{p^(j) = cha,n{p'^^,) and 
(ii) for every ri,T2 G Tjv we have that Ti[p|c] = r2[p|c] iff 
ri[/9|^] = T2[/o'p]. Intuitively, a party listening on chan- 
nels C and a priori knowing the nonces in N, cannot dis- 
tinguish between the inputs received according to p and 
those received according to p'. We call the equivalence 
class of p w.r.t. =^, the {C,N)-view on p. For exam- 
ple, if k, k', a, and b are different constants, r and r' 
are nonces, C = {ci,C2}, and N = <l), then it is easy to 
see that pl^ = (ci : {a}pi,b(fc))' (^2 : (A;',6)),(c3 : k) and 

= (ci : {&}p'ub(fc)).(c2 : {k',b)) yield the same (C,iV)- 
view w.r.t. =ex- 

3.3 Processes 

Processes arc built from atomic processes. An atomic pro- 
cess is basically a function that given a sequence of in- 
put events (representing the history so far) produces a se- 
quences of output events. Wc require that an atomic pro- 
cess behaves the same on inputs on which it has the same 
view. Formally, atomic processes are defined as follows. 

Definition 4. An atomic process is a tuple p = {I, O, N, f) 

where 

(i) /, O C Ch are finite sets of input and output channels, 
respectively, 

(ii) N C ffi is a set of nonces used by p, 

(iii) / is a mapping which assigns a sequence f(U) = (ci : 
Ti)---{cn '■ Tn) with Ci G O and Ti G Tjv to each 
(7, 7V)-view U. 



We refer to /, O and by /p. Op, and Np, respectively. 
We note that the sets Ip and Op do not have to be disjoint 
(which means that p can send messages to itself). 

We note that (iii) guarantees that p performs the same 
computation on event sequences that are equivalent accord- 
ing to =lf, and hence, on which p has the same view. This 
is why / is defined on (/, A')-views rather than on sequences 
of input events. 

For an event sequence p, we write p{p) for the output pro- 
duced by p on input p. This output is (ci : Ti[p']) ■ • ■ (c„ : 
T„[p']), where p' = p\j and (ci : ti) • • • (c„ : t„) = f{U) 
for the equivalence class U of p' w.r.t. =^^. For exam- 
ple, let I = {ci,C2}, N = U he the equivalence class 
of pI^, and assume that f{U) = (04 : (xi,first(x2))). Then, 
Piflx) = (c4 : ({a}|;^^^(j^j,first((fc',6)))), which modulo =ex 
can be equivalently written as (C4 : ({a}pub(fc)' ^')) ^^'^ 
piflx) = (C4 : ({5}j;'^^(j^),first((fc',6)))), which modulo =ex 
can be equivalently written as (04 : ({&}pub(/c)' ^'))- Note 
that since pl^ and p^^ yield the same (7, N)-view w.r.t. =ex, 
p performs the same transformation on pl^ and p'^^. 

For atomic processes p and p' , we write p :^ p' , if p 
and p' perform the same computation up to renaming of 
nonces. Formally, for atomic processes p = (I,0, N, f), 
p' = {1,0, N' , f), we write p c± p' , if there exists a bijec- 
tion h: N ^ N' such that h{f{U)) = f'{h{U)) for every 
(7, A^)-vicw U. This is extended to processes (see below) in 
the obvious way. 

A process P is a finite set of atomic processes with disjoint 
sets of input channels and sets of nonces, i.e., Ip H Ipi = 
and Np n Np, = 0, for distinct p,p' G P. The set of 
input /output channels and the set of nonces of P is 7p = 
UpGP -^P' '^P = Upep Op, and Np = (Jp^p Np, respectively. 
We say that P is a process over (7, 0, N), if 7p C 7, Op C 
O, and Np C N. By n(7, 0) we denote the set of all 
processes over (7, O, N), for some N C 

For a finite event sequence p with the last event of the 
form (c : to), we write P{p) for p{p), where p is the (unique) 
element of P such that c G Ip (if such a p does not exists, 
then P{p) is undefined). 

Given a process P and a finite sequence sq of output 
events ovcir Op, a run p of a process P initiaied by sq is a 
finite or infinite sequence of input and output events which 
evolves from sq in a natural way: An output event is cho- 
sen non-deterministically (initial from sq). Once an output 
event has been chosen, it will not be chosen anymore later 
on. By definition of processes, there exists at most one 
atomic process, say p, in P with an input channel corre- 
sponding to the output event. Now, p (if any) is given 
the input event corresponding to the chosen output event, 
along with all previous input events on channels of p. Then, 
p produces a sequence of output events as described above. 
Now, from these or older output events an output event 
is chosen non-deterministically, and the computation con- 
tinues as before. The notion of a run is formally defined 
below. 
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Definition 5. Let P be a process and sq be a finite se- 
quence of events. A run induced by P initiated by sq is a 
sequence of events s — €162 ■ ■ ■ such that 

(i) s begins with sq, 

(ii) There exists a bijective function / from non-negative 
integers to non-negative integers such that for each 
i, if Ci is an input event (c : m), then f(i) < i and 
ef[i) = (c : m), and, moreover, for each i < j with 
Bi = {c : m) and Cj — (c : m!) we have f(i) < f{j), 

(iii) If p can be sphtted into pi p2 /03, where pi ends with 
an input event, p2 contains output events only, and 
/93 either is empty or begins with an input event, then 

P2 = P{pi). 

An run is fair if it is finite or, in case it is infinite, each 
message sent is eventually delivered (i.e. for each output 
event there exists j such that f{j) = i). 

A run is finite if all output events were chosen at some 
point and there is no new output event left that has not 
yet been chosen; otherwise a run is infinite. We emphasize 
that So can induce many runs, due to the non-deterministic 
delivery of messages. 

We call two processes P and P' non- conflicting if Ip n 
I pi ~ and Np n Npi =0. In this case, we will write 
Pi II P2 instead of Pi UPa- 
If P C P', we call process P a subprocess of process P'. 
For such a P, we define an equivalence relation =p on runs 
induced by P' as follows: pi =p p2 iff pi P2- Hence, 
pi=P P2 means that from the point of view of P, the runs 
pi and p2 look the same. In particular, P behaves the same 
on these runs. 

3.4 Protocols and Tiieir Induced Coercion 
Systems 

Definition 6. A protocol is a tuple S = {A, in, out, sq, P), 
where 

(i) A is a finite set of agent names, with access to input 
and output channels in{a), out[a) C Ch, respectively, 
such that m(a) H in{a') = for a ^ a', 

(ii) So is a finite sequence of output events, the initial 
output sequence, for initializing parties, 

(iii) for every a & A, P{a) C n(m(a), out{a)) is the set of 
programs or processes of a; this set is assumed to be 
closed under ~. 

For example, if a is an honest voter, then P(a) would 
typically contain a program for each way a could vote, pos- 
sibly including abstention of voting. We note that the set 
A typically contains the coercer and coerced parties, i.e., 
these entities are part of the protocol specification. 

If A = {ai, . . . , On] and Pi £ P{ai), then (pi || • • ■ || p„) is 
an instance of S, where the pi, . . . ,p„ are non-confiicting. 
A run of S is a fair run of the process pi || • • • \\ Pn initiated 
by So, where Pi || ■ • ■ || Pn is some instance of S. 



For a protocol S = (A, in, out, sq, P) and a G A, a chan- 
nel c is said to be private channel of a, if c £ in{a) H out{a) 
and c ^ in(a') U out{a') for all a' ^ a. 

Now, let S — [A, in, out, sq, P) be a protocol with A — 
{v,c,e}. Typically, e subsumes all honest principals and 
processes in P(e) are of the form pi \\ ■ ■ ■ \\ pn, where pi 
are programs of honest voters and authorities. Dishonest 
voters and authorities are subsumed by the coercer c and 
coerced voters by v. For such a protocol we can define a 
coercion system, as follows. 

Definition 7. Let S — (A, in, out, sq, P) be a protocol 
with A = {v,c,e}. The coercion system induced by S is 
{R,V,C,E,r,r^), where 

(i) V = P(v), C = P(c), and E = P(e), 

(ii) P is a set of tuples of the form (w,c, e,7r), with non- 
conflicting v€V,ciEC,eEE and vr is a run induced 
by {v II c II e). 

(iii) for every v V, c £ C, e £ E, riv, c, e) = {{v, c, e, tt) | 

~ w, c ~ c, e ~ e, and tt is a run of S induced by 
(w II c II e)} is the set of runs of the process formed by 
V, c, and e, closed under renaming of nonces, 

(iv) for all (w, c, e, tt), (w', c', e', tt') e R, we have 
{v,c,e,'!T) ~ {v' ,c' ,e' ,tt') iff c = c' and tt =c tt'. 
Hence, the relation ~ models the view of the coercer 
c on runs of S. 

4 General Properties 

In this section, we state general properties of coercion sys- 
tems induced by protocols, as introduced in the previous 
section. On the one hand, these properties facilitate proofs 
of coercion resistance of voting protocols. On the other 
hand, they demonstrate the adequacy of our model. In 
Section |4.H we show that, under reasonable assumptions, 
to prove coercion resistance it is not necessary to consider 
all coercion strategies, i.e., all programs v £V , but rather 
suffices to consider a single coercion strategy, the dummy 
strategy. In Section 14. 2[ we briefly discuss the notion of 
receipt freeness and show that it is implied by our notion 
of coercion resistance. We also show, in Section 14.31 that 
multi-voter coercion resistance, where multiple voters are 
coerced, is implied by a slight extension of single-voter co- 
ercion resistance, where only one voter is coerced. Except 
for the second statement, the other statements have not 
been proven in other works on the symbolic analysis of vot- 
ing protocols. 

4.1 Dummy Theorem 

The theorem that we want to prove, requires normal pro- 
tocols. In these protocols the coerced voter and the coercer 
can freely communicate (there are input and output chan- 
nels in both directions) and the set of programs of both 
entities contains all processes, with appropriate input and 
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output channels. For general coercion resistance, protocols 
are typically defined in this way. 

We define the dummy coercion strategy vq to be the pro- 
cess which simply forwards to the coercer all the messages 
it receives from the environment and, conversely, forwards 
to the environment all the messages it receives from the 
coercer. 

Now, we call a coercion system for a protocol dummy 
coercion resistant if it is coercion resistant in case a counter 
strategy is demanded only for the dummy coercion strategy. 

To state our dummy theorem, we need to define a relation 
= on runs which defines a certain view of the environment. 
Let iS* — {A, in, out, sq, P) be a protocol with A = {v, c, e} 
and let tt be a run of P. Then, by env(7r) we denote the 
subsequence of tt which only contains input and outputs 
events for channels of e, i.e., events of the form (c : m) and 
(c, m) with c G m(e) U out(e). Now, for runs tt and tt' we 
write TT = tt' iff env(7r) = cnv(7r'). We extend this relation 
to the set of runs of the coercion system of S: {v, c, e, tt) = 
{v' , c', e', tt') iff e = e' and tt = tt'. We say that a set H of 
runs is closed under =, if tt G TJ and tt = tt' implies tt' G H. 

In the following theorem, we assume that a and 7 are 
closed under =. As a and 7 are typically defined based on 
the view of the environment, the assumption is satisfied in 
most applications, including the protocols that we analyzed. 

Theorem 1. Let S = {V,C, E,r, be a coercion system 
for a normal protocol and a, 7 be sets of runs of S closed 
under Then dummy coercion resistance implies (full) 
coercion resistance. 

Proof sketch (see Avvendix \A.l\ for the full proof). 
Assume that v'q is the counter strategy for the dummy 
strategy vo- Let v d V he any coercion strategy. Then we 
show that the parallel composition of v'q and v, i.e., the 
process v'q \\ v, with a proper renaming of channels, is a 
counter strategy for v. □ 

We note that theorems of a similar fiavor as the one above 
are also considered in cryptographic, simulation-based set- 
tings (see, e.g., [11,24,25]). 

4.2 Receipt Preeness 

We define receipt freeness similarly to coercion resistance, 
but with the assumption that the coercer cannot send any 
messages directly to the coerced voter. Hence, only the 
coerced voter can send messages to the coercer. These 
messages can be considered as receipts. This intuition is 
shared with many other works. One could further weaken 
the following definition by fixing a certain class of coercion 
strategies, where, for example, the coerced voter basically 
follows the protocol but provides the coercer with all the 
information obtained during the run of the protocol. 

Definition 8. A coercion system S = {V,C,E,r,^) is 
receipt-free in a w.r.t. 7, if the system S' = (V, C , E, r, 
where C consists of all the programs in C which do not 



directly send messages to the coerced voter, is coercion- 
resistant in a w.r.t. 7. 

Alternatively to restricting the coercer, one could require 
the coerced voter not to accept messages from the coercer. 
As an immediate consequence of the above definition, we 
obtain the following theorem. 

Theorem 2. // a coercion system is coercion-resistant, 
then it is receipt-free. 

4.3 Multi-voter Coercion Resistance 

In this section, we show that multi- voter coercion resistance 
is implied by a slight extension of single-voter coercion re- 
sistance. The main idea is that in case of multiple coerced 
voters, all coerced voters, except for one, can be considered 
to be dishonest, and hence, their behavior can be subsumed 
by the coercer, leaving the case of a single coerced voter. 

In what follows, let S = {A, in, out, Sq, P) be a protocol 
with A = {v, c, e}. According to the definition of multi- 
voter coercion resistance (see Section [2]), we assume that 
the programs of v are processes of the form [pi \\ ■ ■ ■ \\ 
Pn), where pi represents a process of the coerced voter v^, 
with its own set li and Oi of input and output channels, 
respectively. We have that m(v) = /lU - • and out{v) = 

d u---uo„. 

Given S, we define for every coerced voter a new pro- 
tocol Si, where is the only coerced voter and every other 
coerced voter is considered to be dishonest, and hence, sub- 
sumed by the coercer. The environment e in Si is the same 
as in S. 

We let T denote the coercion system for S and Ti , . . . , T„ 
the coercion systems for Si, . . . , Sn, respectively. 

Now, we slightly extend the notion of (single-voter) co- 
ercion resistance, as mentioned before. An explanation fol- 
lows the definition. 

Definition 9. A system S — {R, V, C, E, r, ~) is coercion 
resistant for {ao, . . . , a„) w.r.t. 7, where ag, . . . , a„, 7 C i?, 
if for each v ^ V there exists v' such that the following 
conditions are satisfied, 
(i) For every k G {l,...,n}, c & C, e € E, and p £ 
r{v, c, e) n Q!fe, there exists e' € E and p' G r{v', c, e') fl 
ak-i such that p p' . 
(u) For every k G {l,...,n}, c G C, e G i?, and p G 
r{v' , c, e) n Q!fc, there exists e' £ E and p' G r(v, c, e') fl 
Q!fc_i such that p ^ p' . 
(iii) For every c G C and e G -E, we have that r{v' , c, e) C 
7- 

First note that condition (iii) of the definition is the same 
as the corresponding condition in Definition [21 Also, for 
n = 1 and (ao,ai) = {R,a) the rest of the conditions 
coincide with Definition [2] as well. A property contains, 
for example, all runs in which there are at least i votes for 
all candidates by honest voters. Now, when going from a 
run where the coerced voter carries out v to & run where 
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he/she carries out v' , then in the latter runs honest voters 
might have to vote in different ways in order to balance 
the behavior of v'. The above definition requires that in 
the run with v' still a^-i is satisfied, and hence, in the 
example, there are still at least i~l votes for all candidates 
by honest voters. 

We obtain the following theorem, which says that to 
prove multi-voter coercion resistance, it sufhces to show 
single- voter coercion resistance in the sense of Definition 1^1 
Despite the quantification over i in the following theorem, it 
typically suffices to prove (single-voter) coercion resistance 
for one T^, due to symmetry. 

Theorem 3. Let S, Si, . . . , Sn and T,Ti, . . . ,Tn be defined 
as above. Let ao, . . . , a„ and 71, . . . , 7„ be properties of T , 
i.e., sets of runs of T . If, for each i G {f, . . . ,n}, we have 
that Ti is coercion-resistant for (ao, . . . , ctn) w.r.t. 7^, then 
T is multi-voter coercion resistant in a„ lii.r.t. 71 n • ■ • n7„. 

The proof of this theorem is postponed to Appendix lA.2l 
As mentioned before, the proof of this theorem relies on the 
fact that coerced voters, except for one, can be considered 
to be dishonest voters, and hence, can be subsumed by the 
coercer. Our analysis on the protocol by Okamoto [33] show 
that if dishonest voters are not considered, then single- voter 
coercion does in fact not imply multi-voter coercion: One 
can show that the Okamoto protocol is coercion resistant 
in the case of a single coerced voter without any dishon- 
est voters. But the protocol is not coercion resistant with 
two coerced voters and still no dishonest voters (see Ap- 
pendix inj . 

5 Civitas 

In this section, we briefly recall the Civitas system [14], 
discuss how this system is modeled in our framework, and 
present positive and negative results of our analysis of Civ- 
itas, i.e., we state conditions under which Civitas does not 
guarantee coercion resistance and conditions under which 
coercion resistance is achieved. This is the first rigorous 
analysis of Civitas and our analysis brings out subtleties 
that have not been observed before. A detailed treatment 
can be found in Appendix [Bl 

5.1 Protocol Description 

We now briefly describe the Civitas system. A more de- 
tailed specification of this system in our framework is pro- 
vided in the appendix. We start with a short description of 
the various cryptographic primitives employed in Civitas. 

Cryptographic primitives. Civitas uses, among others, en- 
cryption schemes that allow for homomorphic encryption, 
random reencryption, and/or distributed decryption. In 
an encryption scheme with distributed decryption, a public 
key is generated by multiple parties. This public key can be 
used for encryption as usual. However, the participation of 
all parties involved in generating the public key is necessary 



to decrypt a message encrypted under the public key. Civi- 
tas also uses a distributed plaintext equivalence test (PET), 
where multiple parties participate in determining whether 
two different ciphertexts contain the same plaintext. Fi- 
nally, Civitas employs a number of zero-knowledge proofs 
and a mix network. 

Protocol participants. The Civitas system assumes the 
following protocol participants: the supervisor S, vot- 
ers Vo,...,Vm, the bulletin board B (which is a kind of 
write-only, publicly accessible memory) , registration tellers 
Ro, . . . , R/c, ballot boxes Xq, . . . , X^, and tabulation tellers 
To, . . . , Tfc. As in [14], we make the following assumptions: 
S, B, Rq, Xq, and To are honest, the remaining voting au- 
thorities may be dishonest. An arbitrary number of voters 
are dishonest, they are subsumed by the coercer. The chan- 
nel between the coerced voter and the honest registration 
teller is untappable. Channels from voters to the ballot 
boxes are anonymous, but not untappable (the coercer can 
see whether ballots are sent to a ballot box). 

For now, we consider one coerced voter, say Vq. We note 
that in [14], it is assumed that Vq knows which one of the 
registration tellers is honest. It is in fact easy to see that 
Civitas is not coercion resistant otherwise. We discuss the 
case of multi-voter coercion at the end of this section. 

Phases of the protocol. The protocol has three phases: the 
setup, voting, and tabulation phase. 

In the setup phase the following steps are performed. The 
tabulation tellers collectively generate a public key Kj and 
post it on the bulletin board; messages encrypted under 
are decrypted in a distributed manner by the tabulation 
tellers. Next, each registration teller R^- randomly gener- 
ates, for each voter v^, a private credential share Sij and 
posts the corresponding public share Sij = {sij}^^ on the 
bulletin board, where represents the random coins used 
in the encryption of Sij . The public credential Si of is 
publicly computable as Si — {Sio x • • • x Sik). Now, a voter 
Vi registers at each Rj to acquire his/her private credential 
shares Sij , which comes with a designated verifier reencryp- 
tion proof (DVRP) that Sij corresponds to the public share 
Sij posted on the bulletin board (such a proof is built using 
the public key of the voter; a voter, or any party who knows 
the corresponding private key, is able to forge such a proof, 
which is crucial for coercion resistance). The voter then 
computes his/her private credential Si = sn x ■ ■ ■ x Sik- 

In the voting phase, a voter Vi posts his ballot hi on all 
the ballot boxes (it is enough, if the ballot is published 
on only one such a box to be taken into account in the 
tabulation phase). A ballot consists of an encrypted vote 
{'^Ykt' encrypted credential {siYj^_^, a zero- knowledge 
proof showing that w is a valid vote, and a zero knowledge- 
proof showing that the submitter simultaneously knows Si 
and Vi. 

In the tabulation phase, tabulation tellers collectively 
tally the election by performing the following steps: (1) 
They retrieve the ballots from ballot boxes and the pub- 
lic credentials from the bulletin board. (2) They check the 
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proofs of the ballots, eliminating those ballots with invalid 
proofs. (3) Using PETs, duplicate ballots, i.e., ballots with 
the same encrypted credential, are eliminated according to 
some fixed policy. (4) First the ballots and then the cre- 
dentials are mixed by each tabulation teller, by applying 
a permutation and using reencryption. (5) Ballots with- 
out valid credentials are eliminated, again using PETs. (6) 
The votes of the remaining ballots are decrypted in a dis- 
tributed manner by the tabulation tellers and published. 
In steps (3)-(6) zero-knowledge proofs are posted to ensure 
that these steps are performed correctly. 

5.2 Negative Results 

Clarkson et al. [14] claim that under the assumptions men- 
tioned before, Civitas is coercion resistant. Just as in the 
protocol by Juels et al. [23], the idea behind the counter 
strategy of the coerced voter is to provide the coercer with 
a fake credential, which prevents the coercer from voting. 
Clarkson et al. briefly mention that a voter might not be 
able to vote if a registration teller refuses to provide a cre- 
dential share to the voter and propose to use an additional 
voting authority, which attest the misbehavior of the reg- 
istration teller. However, in the course of trying to prove 
that Civitas is coercion resistant, we found further prob- 
lems that make clear that, under the mentioned conditions, 
Civitas does not provide coercion resistance, if the goal of 
the coerced voter is to vote for a specific candidate, say z. 

The first problem is the following. We may well as- 
sume that all dishonest registration tellers provide creden- 
tial shares to all voters. But they might in addition inform 
the coercer who has registered. Now, if the coercion strat- 
egy dictates the coerced voter not to register, there is no 
way that the coerced voter can register, as the coercer would 
be informed. In particular, there is no counter strategy that 
would allow the coerced voter to vote for z, as the coerced 
voter cannot register in the first place, and hence, does not 
know all credential shares required for casting a valid ballot. 

There is also another more subtle coercion strategy, 
which instructs the coerced voter to reveal his/her private 
key to the coercer before the registration phase. Now, a 
dishonest registration teller collaborating with the coercer, 
can use this private key to forge the DVRP. As a result, 
the coerced voter cannot be sure to have obtained a valid 
credential share. Hence, even if this voter obtained a cre- 
dential share from every registration teller, he/she might 
still not be able to vote. 

5.3 Positive Results 

We found that Civitas is coercion resistant in all of the 
following three settings: 

1. All registration tellers are honest and the goal of the 
coerced voter is to successfully vote for the candidate 
of his/her choice. 



2. The goal of the coerced voter is only to prevent the 
coercer from casting a valid ballot, where otherwise the 
assumptions about channels and honest and dishonest 
authorities are as in [14] and discussed above. 

3. The goal of the coerced voter is to successfully vote 
for the candidate of his/her choice, but the coercion 
strategies are restricted in that they first dictate the 
coerced voter to register as prescribed by the protocol 
and only then follow some arbitrary coercion strategy. 
Otherwise, the assumptions are as in [14] and discussed 
before. 

The assumptions in the first setting appear to be too strong, 
given that the main difference of Civitas compared to the 
Juels et al. protocol, on which Civitas is based, was to re- 
place a single trusted registration teller by a group of pos- 
sibly dishonest registration tellers. The second setting does 
not provide the coerced voter with much guarantees. The 
last setting, which we refer to by Civitas with restricted 
coercion strategies, seems to be the most interesting and 
certainly the most challenging to prove. We will therefore 
concentrate on this setting in the rest of the section. One 
can imagine that the registration is performed long before 
the election and that in this phase the coercer does not yet 
try to influence the voter. 

We note that in case of Civitas with restricted coer- 
cion strategies, the coercer can still ask the voter to reveal 
his/her private key, but only after the registration of the 
voter. Hence, the voter can check whether he/she has ob- 
tained a valid credential share. Also note that registration 
tellers might be dishonest. 

The main theorem of this section states that Civitas 
with restricted coercion strategies is coercion resistant in 
a w.r.t. for any candidate z, in the sense of Definition[21 
We now formulate a and 7^. 

We first introduce some terminology. We say that a bal- 
lot posted by a voter is posted successfully, if this ballot is 
delivered to the honest ballot box before the voting phase 
ends. A run p is fair w.r.t. the coerced voter Vq, if, in this 
run, (1) all the registration and tabulation tellers follow the 
protocol, i.e. post all messages and correct zero-knowledge 
proofs, as required, (2) Vq obtains his credentials before the 
voting phase ends, and (3) if Vq posts a valid ballot before 
the voting phase ends, then this ballot is posted success- 
fully. 

The properties and a defined next, will be discussed 
below. 

For every candidate (or valid vote) z, the goal 72 of the 
coerced voter Vq is defined to be the set of all runs satisfying 
the following conditions: If a run is fair w.r.t. Vg, then the 
coerced voter successfully votes for z. 

The set a of runs contains all runs satisfying the following 
conditions: (1) For each possible candidate (or valid vote), 
there is at least one honest voter who successfully casts this 
vote. (2) There is at least one honest voter who obtains his 
credential before Vq finishes registration and abstains from 
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voting. (3) There is at least one honest voter who obtains 
his credential, but posts successfully a ballot with an invalid 
credential. (4) There is at least one honest voter who posts 
a ballot after vq finishes registration. 

Let us first discuss 7^ . By Definition [51 (iii) 72 means 
that the counter strategy of Vq must be such that Vg votes 
successfully for z in every fair run. In runs that are not fair 
w.r.t. Vq it is clear that the vote of the coerced voter will not 
be counted, either because a tabulation teller misbehaved 
in an observable way, making the election invalid, or the 
ballot did not reach any ballot box in time, and as a result 
is not decrypted and published by a tabulation teller. The 
latter can happen if messages on the network are delayed for 
too long, possibly caused by the coercer. These are obvious 
reasons why a vote might not be counted. Hence, 7z is a 
very strong goal. 

Now, consider the conditions (1) to (4) for a: Condition 
(1) was already motivated in Section [2l Condition (2) is 
needed because if no honest voter abstains from voting, the 
coercer could tell that the coerced voter does not abstain 
from voting, even though he/she was supposed to abstain, 
just by counting the published votes. Moreover, if Vp com- 
pleted registration before everybody else (the coercer can 
even force this to happen when cooperating with a dishon- 
est registration teller), then if some ballot is posted, the 
coercer knows that this must have been Vq. (We assume 
that honest voters do not post ballots without completing 
registration.) In this way, the coercer could again force vq 
to abstain from voting. Condition (3) is also necessary. If 
the coercer posts a ballot with the fake credential provided 
by Vq, and if all honest voters only post valid credentials, 
then the coercer can tell that he/she was fooled, and hence, 
the counter strategy of the coerced voter fails. Finally, con- 
dition (4) is needed for similar reasons as condition (2). 

Conditions (1) and (4) arguably exclude runs that are 
unlikely to happen anyway. However, this is debatable for 
condition (3) (maybe also for (2)). There is no reason to as- 
sume that an honest voter would use an invalid credential, 
even if he/she has a valid one (such a voter would have to 
deviate from the protocol). To avoid condition (3), we sug- 
gest that Civitas contains some authority which randomly 
casts some ballots with invalid credentials. Similar "noise" 
can also help to avoid condition (2). 

Theorem 4. The coercion system induced by Civitas with 
restricted coercion strategies is coercion resistant in a w.r.t. 
"fz, for any valid vote z. 

The proof of this theorem is given in the appendix. Let 
us note that the theorem holds for any number of honest 
and dishonest voters and authorities. We also note that 
the proof of this theorem does not depend on the policy 
used to remove duplicates. In particular, it does not matter 
whether re- voting is allowed or not. 

Multi-voter coercion. Theorem |4] can easily be gener- 
alized to multi-voter coercion resistance. Suppose that a 
number k of voters is being coerced. Suppose that the goal 



of voter Vfc is 7^. By Theorem [31 to prove multi- voter coer- 
cion resistance in a w.r.t. 7 = (71 n • • • fl 7„), it is enough 
to prove (*): a system with only one coerced voter Vi is 
coercion resistant for (ao, . . . , an) w.r.t. 7^, with an — a. 

We define ak as the set of runs where (1) for each possible 
vote, there are at least k honest voters who successfully 
cast this vote, (2) there are at least k honest voters who 
obtain their credentials, before any of the coerced voters 
finishes registration, and abstain from voting, (3) there are 
at least k honest voters who obtain their credential, but 
post ballots with invalid credentials, (4) there are at least 
k honest voters who post a ballot after the coerced voters 
finish registration. 

The proof of (*) is very similar to the one for Theorem [4l 
Hence, multi- voter coercion resistance follows. 

6 Lee et al. Protocol 

In this section, we analyze a protocol proposed by Lee et 
al. [28] within our framework. We show that the protocol is 
not coercion resistant in general, but propose an extension 
of the protocol for which we can show coercion resistance. 

6.1 Protocol Description 

The Lee et al. protocol assumes that every voter owns a 
tamper-resistant device, called a randomizer. 

In the setup phase, the tallying tellers Ti, . . . , gener- 
ate and publish their common public key Kj for threshold 
decryption. 

In the voting phase, a voter prepares his/her ballot, con- 
taining a vote encrypted under Kj, and gives it to his/her 
randomizer which reencrypts the ballot and signs it, and 
sends the result s back to the voter along with a designated 
verifier reencryption proof (DVRP) (such a DVRP can be 
forged by anyone who knows the private key of the voter) . 
This part of the communication is assumed to be entirely 
private. Then the voter checks the proof, computes his/her 
own signature on s and posts it on the bulletin board. 

In the tallying phase, the following is done: (1) the dou- 
ble signatures of voters and their randomizers on the posted 
ballots are verified and invalid ballots are eliminated, (2) 
the remaining ballots are shuffled and reencrypted and the 
result is posted on the bulletin board, (3) talliers jointly 
decrypt shuffled ballots and publish the tally result. Cor- 
rectness of all these steps is assured by posting appropriate 
non- interactive zero-knowledge proofs. 

6.2 Negative Results 

Assuming that the goal of the coerced voter is to vote for a 
particular candidate, it is easy to see that this protocol is 
not coercion resistant: There is a simple abstention attack 
where the coercer disallows the coerced voter to put a bal- 
lot signed by this voter on the bulletin board. So, one can 
at most hope to prove that if a ballot signed by the coerced 
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voter and his/her randomizer has been put on the bulletin 
board, then the vote of the coerced voter is counted. How- 
ever, even this weaker form of coercion resistance cannot be 
shown: A coercer could prepare a ballot with some invalid 
vote which is unlikely to occur otherwise and then ask the 
coerced voter to give this ballot to his/her randomizer, sign 
the result and put it on the bulletin board. The coercer can 
check whether his/her vote is decrypted, assuming a dishon- 
est tallying teller collaborating with the coercer. (The Lee 
et al. protocol is designed to deal with dishonest tallying 
tellers.) Therefore, a counter strategy is forced to use the 
ballot prepared by the coercer, and hence, the goal of the 
coerced voter cannot be achieved. 

6.3 Positive Results 

To prove coercion resistance, one could assume that all tal- 
lying tellers are honest, but this is not the point of the Lee 
et al. protocol. We instead propose a slight extension of the 
protocol, where the randomizer expects in addition to the 
ballot a zero-knowledge proof which shows that the vote 
in the ballot is well- formed (just as in Civitas). The ran- 
domizer then checks the proof before replying. With this 
extension of the protocol, we obtain coercion resistance for 
a natural 7^ and a: 7z contains all runs where the co- 
erced voter successfully votes for z, if some ballot signed 
by this voter and his/her randomizer appears on the bul- 
letin board (within the voting phase) and all zero-knowledge 
proofs that have to be provided by the authorities are valid. 
Note that this goal does not exclude abstention attacks. For 
the same reason explained above, these attacks are still pos- 
sible in the extended version of the Lee et al. protocol. The 
set a is simply the set of runs where for each possible vote 
there is at least one honest voter who successfully casts this 
vote. 

Theorem 5. The coercion system induced by the extended 
version of the Lee et al. protocol is coercion resistant in a 
w.r.t. for any valid vote z. 

The proof of this theorem is sketched in the appendix. 
7 Related Work 

Coercion resistance in a symbolic model was first formu- 
lated by Delaune et al. [16-18]. This work was then further 
developed by Backes et al. [4]. Both the work by Delaune 
et al. and Backes et al. were motivated by the desire to use 
ProVerif [10], a tool for security protocol analysis, for the 
automatic analysis of voting protocols. Due to the focus 
on automation, the notions of coercion resistance studied 
in these works are more restricted than the one considered 
here. For example, the notion of coercion resistance intro- 
duced by Delaune et al. does not apply to Civitas or the 
protocol by Juels et al. [23] , as the class of coercion strate- 
gies and counter strategies they consider are too restricted. 



To show coercion resistance of the Lee et al. protocol, De- 
laune et al. study a variant of this protocol which is different 
to the one studied here. One of the abstention attacks that 
we point out still works for their variant. However, this 
attack is out of the scope of their notion of coercion re- 
sistance. Conversely, the notion of coercion resistance by 
Backes et al. is inspired by the one of Juels et al., which 
in turn is especially tailored to the specific protocol struc- 
ture of the protocol by Juels et al. and the specific forms of 
coercion strategies. In order to facilitate automation, the 
protocol models that Delaune et al. and Backes et al. con- 
sider are much coarser than ours. For example, the way 
votes are tallied is simplified and mix networks and proofs 
of compliance are not modeled. 

There is also a more fundamental difference between the 
work by Delaune et al. and Backes et al. on the one hand, 
and our work on the other hand. The symbolic model by 
Delaune et al. and Backes et al. is the applied pi calculus [1], 
with its notion of observational equivalence for comparing 
systems/processes. Observational equivalence is a bisimi- 
larity relation which demands that every step of one sys- 
tem is matched by a similar step of the other system. In 
particular, in the works by Delaune et al. and Backes et 
al. the two systems in which the coerced voter runs the co- 
ercion strategy and the counter strategy, respectively, are 
related using the notion of observational equivalence. This 
is fundamentally different to the approach taken here: In 
our epistemic approach, we relate traces of systems and say 
that for every trace of one system, there exists a trace of 
the other system such that the coercer has the same view 
on both traces. In the two traces, honest voters may vote in 
different ways. By this, votes (including abstention) can be 
balanced in case coerced voters vote in different ways in the 
two systems and this balancing may be based on the traces 
as a whole. Conversely, observational equivalence, with its 
strict stepwise correspondence between systems, prohibits 
a simple balancing of votes. As a result, the formulations of 
coercion resistance proposed by Delaune et al. and Backes 
et al. are very complex and less intuitive. In Delaune et 
al., the balancing problem is tackled by restricting the set 
of coercers and coercion strategies. It is assumed that the 
coercer's goal is to vote for a particular party and that co- 
ercion strategies only slightly deviate from the prescribed 
protocol. Altogether this leads to a rather weak notion of 
coercion resistance, excluding, for example, abstention at- 
tacks and other natural coercion strategies, e.g., those rele- 
vant for Civitas. Backes et al. introduce what they call an 
extractor to solve the balancing problem, which makes the 
definition of coercion resistance quite complex and hard to 
understand. 

In [21,22], Jonker et al. also follow an epistemic approach 
to model properties of voting protocols. However, they do 
not consider coercion resistance, only receipt freeness. Re- 
ceipt freeness is modeled w.r.t. a message that a voter could 
use as a receipt. This is only a very rough approximation 
of the intuition behind receipt freeness. Also, Jonker et 
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al. do not model any cryptographic operators. A more re- 
cent work on receipt frccncss by Jonker et al. is [20]. 

The work by Baskar et al. [6] focuses on the decidability of 
knowledge-based properties of voting protocols. However, 
they only study a very simplistic notion of receipt-freeness, 
which resembles privacy of votes; coercion resistance is not 
considered. 

As already mentioned in the introduction, there also exist 
several cryptographic definitions of coercion resistance and 
receipt freeness (see, e.g., [13,23,31,33,35]). On the one 
hand, compared to the cryptographic definitions, our sym- 
bolic approach abstracts from many cryptographic details, 
including details of cryptographic primitives and probabilis- 
tic aspects. This leads to weaker security guarantees. On 
the other hand, the simplicity of the symbolic approach 
in general, and our definition in particular, facilitates the 
analysis of protocols and is more amenable to automation, 
which, given the complexity of voting protocols, is a crucial 
advantage. 

8 Conclusion 

In this paper, we presented a general, yet simple and in- 
tuitive definition of coercion resistance of voting protocols 
in an epistemic setting, which does not depend on any spe- 
cific, symbolic protocol or adversary model. We applied our 
definition to three different voting protocols, two of which, 
namely Civitas and the protocol by Okamoto, have not been 
rigorously analyzed before. For all three protocols, we iden- 
tified conditions under which these protocols are coercion 
resistant or fail to be coercion resistant. To obtain these 
results it was vital that our definition of coercion resistance 
allows to specify various degrees of coercion resistance in 
a way more fine-grained than in previous proposals. Our 
analyzes brought out several insights about the three pro- 
tocols that have not been observed before and that led us 
to propose improvements of the protocols. 

We believe that our definition of coercion resistance pro- 
vides a good basis for automated analysis of coercion resis- 
tance, in particular since the definition can be instantiated 
with different protocol and adversary models. However, 
carrying out tool supported analysis was out of the scope 
of the present work. 
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A General Properties 
A.l Proof of Theorem [1] 

Before we present the proof of Thcorcm[T] we define normal 
protocols precisely. 

Definition 10. A protocol {A, in, out, sq, P) with A — 
{v, c, e} is normal, if (i) v and c are connected by some input 
and output channels (in both directions), (ii) both v and c 
have an unbounded number of private channels (see the 
paragraph after Definition [S]), (iii) -P(v) = n(m(v), out{\/)) 
and P{c) = n(m(c), out{c)). 

Proof of Theorem [TJ We first introduce some terminol- 
ogy and prove general lemmas about processes for forward- 
ing messages between channels. 
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Let p ~ {I, O, N, /) be an atomic process and h he a 
channel renaming, i.e. a injection from Ch to Ch. We define 
an atomic process h{p) as (/', O', N, /') with /' = h{I) and 
O' = h{0), where, for each (/',7V)-view U = {\W), we 
put /'([/) = /i(/(/i-i(A),iy)). We extend the domain of 
a channel renaming to arbitrary (non necessarily atomic) 
processes in a natural way. 

Now, for processes Pi , P2 and a channel renaming /i, we 
will write Pi 'O^ P2, if for each run tt induced by Pi, the 
run /i(7r) is induced by P2. The following lemma is easy to 
prove. 

Lemma 1. For a process P and a channel renaming h, we 
have P \=h h{P). 

For c, d € Ch, we denote by tc the process which simply 
forwards on channel d every message received on c. By 
tcTc' will denote (tc II TcO- Foi' ^ process P[co,ci] 
which uses channels cq and ci, we will write P[ao, ai] for the 
process which uses Oi instead of Ci and otherwise behaves 
like P[co,ci] (i.e. P[ao,ai] — /i(P[co,ci]) for h = {cq ^ 
ao,ci I— > fli}). Sometimes we will write P[c\ instead of 
P[co,ci]. 

Let P be a subprocess of some process P'. We define an 
equivalence relation =p on runs induced by P' as follows: 
TT =p tt' iff 7r|£) tt'^, where D is the set of elements of 
the form c and c, for c e /p U Op. Note that, if tt and 
tt' are runs of some protocol S — {A, in, out, sq, P) with 
A = {v, c, e} and P G P(e), then tt = tt' iff tt =p tt'. 

Let P be a process. A channel c is called an input channel 
of P, if c S /p and c ^ Op. A channel c is called an output 
channel of P, \i c ^ Op and c ^ Ip. 

Lemma 2. Let P[co, ci] he a process with some input chan- 
nel Co and some output channel Ci, let P' be a process, and 
Xq,xi be channels not used neither by P[co, Ci] nor P' . Let 
Pi = (P' II P[co,Ci]) andP2 = (P' \\rc°n\\\ P[xo,Xi]). 
Then: 

(1) For each run tt induced by Pi there exists a run n' 
induced by Pj with tt ^p/ tt'. 

(2) For each run tt induced by P2 there exists a run tt' 
induced by Pi with tt =p' tt'. 

Proof. Let / be the process Tcq tx\- To prove (1), suppose 
that TT is a run induced by Pi . We construct tt' in the follow- 
ing way. Whenever it happens in tt that (cq : m) is delivered 
and, in consequence, a reply of P[co,ci] is sent, then two 
steps are performed in tt': first, (co : m) is delivered and, 
in consequence, the reply {xq : ni) of / is sent; and second, 
the message (xq : m) sent in the first step is immediately 
delivered and, in consequence, the reply of P[a;o,xi] is sent. 
Furthermore, whenever it happens in tt that (ci : m) is sent 
by P[co,ci], then two steps are performed in tt': the cor- 
responding message {xi : m) is sent by P[a;o,a;i] and then 
this message is immediately delivered and, in consequence, 
(ci : m) is sent by /. It is easy to show that tt' obtained in 
this way is a run induced by P2 and tt' =p' tt. 



To prove (2), suppose that tt is a run induced by P2. We 
construct tt' in the following way. Whenever it happens in 
TT that {xi : m) is sent by P[xo,xi], then, in tt' , the corre- 
sponding message (ci : m) is sent by P[co, ci]. When, in tt, 
such a message {xi : m) is delivered and, in consequence, 
the reply (ci : m) of / is sent, no corresponding step is 
performed in tt', so, in particular, (ci : m) is kept as a mes- 
sage to be delivered. Furthermore, whenever it happens in 
TT that a message (cq : m) is delivered and, in consequence, 
the reply [xq : m) of / is sent, then no corresponding step is 
taken in tt', so, (cq : m) is kept as a message to be delivered. 
When, in tt, a message (xq : m) is delivered to P[xq,xi], 
then, in tt', we can deliver (cq : m) to P[co,ci]. It is easy 
to show that tt' obtained in this way is a run induced by 
Pi and tt' =p/ tt. (Note, however, that one cannot prove 
tt' =pi TT.) This completes the proof of Lemma [2] □ 

To make the proof of Theorem [T] simpler, we assume that 
a — (ao,ai) with oq G out(v) n inp(c) and ai G out(c) n 
inp(v), are the only channels shared by c and v in a normal 
protocol. Similarly, we assume that d = (dQ,di) with do G 
out(e)ninp(v) and di G out(v)ninp(e) are the only channels 
shared by e and v. We stress, that these assumptions make 
the proof simpler, but are by no mean crucial and can be 
easily dropped. 

For channels x = {xo,xi), let vo[x] be (TdoT^i)- ^o{^] 
simply forwards on channel xq each message received on do 
and forwards on di each message on channel xi. Now, vq 
is just uo[d]. 

To prove Theorem [1] suppose that vq is not a coercion 
strategy in a w.r.t. 7 and v'q is a counter-strategy for vq. Let 
w be a strategy in V. We will construct a counter-strategy 
v' for V. 

We will write v'qIS] instead of v'q, as channels a are used by 
v'q. Similarly, we will write w[d, a] and c[a\, for any c G C. 
Let X ~ {xo,Xi) be some private channels of v not used 
in v nor v'q. Such channels exist due to Condition (ii) of 
Definition [TUl Similarly, for a given c G O, let ?/ = {yo,yi) 
be some internal channels of c not used in c. 

We define v' as {v'q[x\ \\ v[x,a]). We will show that v' is 
a counter-strategy for v. Let a = {x ^ a,d ^ y,y ^ x}. 

The following lemma holds true, because none of a, x, y 
is used by any e £ E. 

Lemma 3. Let p = {v, c, e, tt) be a run of S . We have that 
TT = cr(7r). 

Lemma 4. Let tti,tt2 be runs induced by some {v \\ c \\ e) 
such that channels x do not occur in tti,tt2. If tti =c t^i, 
then a^^ijTi) =c a^^(TT2). 

Sketch of proof. The lemma follows from the observation, 
that, for each channel z occurring in tti or tt2 (note that 
z / x), if a~-^{z) G Ic, then z E Ic. □ 

Now we will show that Item (iii) of the definition of coer- 
cion resistance holds for v' , i.e. r{v' , c, e) C 7, for all c G O 



14 



and e G E. So, let pi G r{v' , c, e), which means that 
Pi = {{^'oM II v[x,d]),c[d],e,7r), 

for some -Oq ~ dq, w ~ w, c ~ c, e ~ e, and some tt induced 
by {v'o[x] II v[x,a] \\ c[a] \\ e). So, by Lemma [U cr(7r) is a 
run induced by {vqIS] \\ v[a,y\ \\ c[y\ \\ e) and thus 

P2^ {vo[a],iv[a,y\ \\ c[j/|), e, cr(7r)) 

is in r{v'Q[d],{v[d,y\ \\ c[y\),e) (note that v[d,y\ \\ c[y\ is 
in P(c), by condition (iii) of Definition [TUl) . Because Uo[a] 
is a counter-strategy for i;o[a], we have that p2 G 7. By 
Lemma [21 tt = o'(7r), which implies pi = P2- Because 7 is 
closed under =, we obtain pi G 7. 

Finally, we will show that Item (ii) of the definition of 
coercion resistance holds for v and v' , i.e. for each c, e, and 
p G r(i'', c, e) n a, there exist e' & E and p' G r{v, c, e) such 
that p ^ p' . For Item (i) one can proceed similarly. This 
completes the proof of the theorem. 

So, let pi G r{v' ,c, e) fl a. We proceed, as above, and so, 
pi is like above and, for p2 defined as above, pi = p2 holds. 
Because a is closed under =, we have p2 € a. As Vgld] is 
a counter-strategy for Vo[d], there exists e' € E and a run 
P2 G r{vo[d],{v[d,y\ \\ c[y\),e') with p2 P2- This means 
that 

p'2 = {Md],{v[d,y\ II c[y]),e',7T'), 

for some e' ~ e', and some tt' induced by {vo[d] \\ v[d,y\ \\ 
c[y\ II e') such that tt' =(£[g^j;]||g[j^]) cr(7r). By Lemma [H 
a~^{-K') is a run induced by (uo[a;] || v[x,d\ \\ c[d] \\ e') and 
thus 

P'l = ((«o[^] II i'[x,d]),c[d\,e',cr-^{TT')) 

is in r((i'o[a;] || v[x,d\),c[d],e') (note that vo[x\ \\ v[x,d\ is 
in P(v), because of condition (iii) of Definition [TO)) . Since 
tt' =(fi[a,in||c[i/]) cr(7'') and /c[o] C /s[s,j;]||c[y], we have tt' =£[5:] 
cr(7r). So by LemmalU a~^{n') =c[a\ t^- Now, by Lemma[2l 
there exists a run tt" induced by {v \\ c[a\ \\ e') such that 
tt" =(c[a]||e') cr"^(7r') with implies tt" =g[s] cr"i(7r'). Hence, 
tt" =c[a] ""i and so, finally, we obtain a run (w, c, e', tt") ~ pi 
in r(w, c, e'). 

A. 2 Proof of Theorem [3] 

Before we prove the theorem, we state some definitions only 
sketched or omitted in Section [331 

Let 5 be a protocol as in Section 14.31 We define 
Si — (A, irii, outi, So, Pi), where v now represents voter 
Vj only, e is unchanged, and c gets direct access to the 
channels of the coerced voters vi, . . . , Vi_i, v^+i, . . . , v„, i.e., 
OTi(v) = Ii, outiiy) = Oi, mi(c) = m(c) UlJ^g^/j, and 
outi{c) = out{c) U Uieiv Oi, where W = {1, . . . , n} \ {i}. 
Moreover, Pi(e) = P(e), -Pi(v) = n(mi(v), oMti(v)), and 
Pi{c) = n(mi(c), outi{c)). 

For the proof of Theorem [31 we define a mapping from 
runs p of T to runs p^*^ of Ti and from properties /3 of T 
to properties /S^'^ of T^: Recall that each v G P(v) is of 



the form {vi \\ ■■■ \\ w„) with Vi G 11(7^,0^). For a run 
P = ((«i II • • • II '^«),c, e,7r), we define p(') as {vi, [vi \\ ...\\ 
Wi-i II Vi+i II ... II w„ II c),e,7r). For a property /3 of T, 
we define to be {p*^*-' : p G /3}. When it is clear from 
the context, we will write (3 instead of , treating /3 as a 
property of Ti. 

We can now turn to the proof of Theorem [31 We define 
a function / which maps a coercion strategy Vi of the i-th 
voter to a counter strategy v'^ = f{vi), by defining v[ as 
some (arbitrarily chosen) counter strategy for Vi in Ti (such 
a counter strategy exists, since Ti is coercion resistant). 

Now, for any v G -P(v) which, as we know, must be of the 
form {vi II ... II w„) with Vi G Pi{y), and for v' — {v[ || . . . || 
v'^), where v[ = f{vi), we will show that T, along with v 
and v' , meets the conditions of the definition of multi- voter 
coercion resistance. 

First, let us show that condition (iii) holds. Let c G 
P(c), e G P(e) and p G r{v' ,c,e). So, p is of the form 
{{v'l II ... II w^),c, e,7r). For each i G {!,..., n} we have 
that p"^*) G r^{v[,Ci,e), where q = (i;i || . . . || || Vi+i \\ 
... II w„ II c). Thus, p^'^ G 7i and so p G 7.;. Hence, 
p G 7i n • • • n7„. 

Now, let us show that condition (i) holds. The proof for 
condition (ii) is very similar. Let p G r{v, c, e)nan, for some 
c and e. Let Uk denote {v[ || . . . || || Vk+i II ■•■ II «„). 
Note that uq = v and w„ = v' . We will show, by induction, 
that for each k G {0, . . . ,n\ there exists and p^ such 
that pk G r{uk,c,ek) fl a„_fc and pk ~ p. Note that, for 
fc = 0, we can simply take — e and po = p. So, let us 
assume that the above holds for fc — 1. We will show that 
it also holds for k. So, we have some ek~i and pk-i ^ p 
such that pk-i G r{uk-i,c,ek^i) r\ a^^n-k+i)- It follows 
that p^^l^ G a(„-fc+i) and p'^l^ G ri{vk,c* ,ek-i), where 
c* = (w^ II ... II II vk+i II ... II II c). By coercion 

resistance of T^, there exists eu and p'j, G r(uj., c*, eA;)na„_/t 
such that p'j, ~fc Pfc'!^!- Let pfc be such that p^'^^ = pj,. 
Hence, p^ ~ Pfc-i (as the coercer can see more in Tk than 
in T). By transitivity of we have pk ~ p. We also have 
that pfe G r{uk,c, Ck) and pfc G a„_fc. 

B Ci vitas 

In this section we provide a detailed modeling of Civitas in 
our framework and present the proof of coercion resistance 
of this system. 

B.l Cryptographic Primitives 

We use a term of the form (m, m') to represent a pair of 
messages m and m'; with first(p) and sec(p) yielding, re- 
spectively, the first and the second component of a pair p. 
A term sig„{fc} represents the signature on a message m 
under a (private) key k. Such a signature can be verified 
using pub(fc), the public key corresponding to k. We also 
assume that such a signature reveals m. 
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We use the following terms to represent randomized en- 
cryption with reencryption and homomorphic property; 
{m}^. represents a term m encrypted under a (public) key 
k using a randomness r; dec(c, k) represents a decryption 
of a ciphertext c with a key k (k is intended to be a pri- 
vate key corresponding to the public key under which c is 
encrypted); reenc(c, fc,r) represents a reencryption of a ci- 
phertext c under a (public) key k with randomness r (we 
have reenc{{m}l., k, r') = {m}^'^^ ). We also use symbols 
-f- and X , equipped with the appropriate equational theory, 
to express the homomorphic property of the encryption: 
{m,}l^x{m2}l^={m,xrn2}l^^'-\ 

Distributed decryption is modelled as follows. Sup- 
pose that private key shares of some agents 
fli, . . . , a„. Then, pub(a;i), . . . , pub(x„) are the correspond- 
ing public key shares (which are intended to be pub- 
lished). The distributed public key of ai,...,a„ is now 
K = pub(a;i) x ■•■ x pub(a;„). To decrypt a ciphertext 
c = {^Yk^ that is a message m encrypted under this key, 
the cooperation of all ai, . . . , a„ is necessary: each posts 
his public decryption share pi = dshare(c, Xi). Now, the re- 
sult of decryption (that is the message m) can be computed 
from these shares: m ~ distdec(pi, . . . ,Pn). 

In a very similar way me model distributed plaintext 
equivalence test (PET), which can be used to determine, 
whether, for two ciphertext c and c', the plaintext of c and 
c' are the same, without revealing anything more about 
these plaintexts (in particular, without decrypting c and 
c'). Suppose, again that private key shares 

of ai,...,a„ and K = pub(a;i) x ••• x pub(x„) is their 
distributed public key. To perform a PET on ciphertexts 
c = {mjjf and c' = {m'}Jj- (that is to check whether m 
and m' are the same), each Oi posts his public PET share 
Pi = petshare(c, c', Xi). Now, the result of the PET can be 
computed from these shares: distpet(pi, . . . ,p„) = T iff the 
m — m' . 

The equational theory for modeling these primitives is 
given in the appendix (Fig. ^ . We assume additionally that 
+ and x are equipped with equations for associativity and 
commutativity property (we could consider more complex 
equational theory for there operators, which however makes 
the proof more complicated). This theory will be denoted 
by E. 

B.2 Zero- knowledge Proofs 

We will model the zero-knowledge proofs used in the 
protocol following the approach of [5]. A zero- 
knowledge proof will be represented by a term P = 
ZK^'''(ti, . . . ,t„; si, . . . , Sfc) where are terms 

called the private component (the proof will keep these 
terms secret), terms si, . . . , Sfc are called the public compo- 
nent (the proof reveals these terms) , and (/? is a term built 
upon variables xi, . . . ,x„,yi, . . . ,yn (no other variables and 
no nonces can occur in this term; Xi is intended to refer to 
ti, while yi is intended to refer to Si), called the formula of 
P. 



We have the following equalities associated to zero- 
knowledge proofs. The first group of equations reveals the 
public components (also the formula) of a proof. The sec- 
ond one allows one to check validity of a proof. 

public(ZK^'''(ti, . . . , tn, si, . . . , Sfc)) = {ip, si, . . . , Sk) 

check(ZK;5^'^(ti,...,i„,si,...,Sfc)) =T 

if is a formula build upon xi, . . . , Xn, yi, ■ ■ ■ , yk, 

and ip[ti/xi,Si/yi] =e T. 

To model Civitas, we will use zero-knowledge proofs for- 
mally defined in Fig. [3l We use semicolons only to enhance 
legibility, as a mean of separating private and public com- 
ponents. The meaning of these proofs is as follows. 

KnowPriv(a;; y) represents a proof of knowledge of the pri- 
vate key X associated with the given public key y (i.e. 
y = pub(a;)). 

DVRP(a,a;; m,m' ,k,ky) represents a designated-verifier 
reencryption proof which shows that m' is a reencryp- 
tion of m under fc; ky is the public key of the designated 
verifier who, having the corresponding private key, is 
able to forge a faked proof; a is an additional random- 
ness used to construct the proof. The proof is valid if 
either (a) m' = reenc(m, fc, x) or (b) fc„ = pub(x), i.e. 
X is a private key associated with public key k^ of the 
designated verifier. 

ProofDShare(x; p,y,c) represents a proof that p is the pub- 
lic share for distributed decryption of c w.r.t. y, i.e. 
p — dshare(c, x) and y = pub(a;). 

ProofPETShare(x; p, y, c, c') represents a proof that p is the 
public share for distributed PET of ciphertexts c and 
c' w.r.t. y, i.e. p = petshare(c, c', x) and y = pub(x). 

OneOf;(r; m,k,b) represents a proof that m is an encryp- 
tion under k of one of the values in b = (61, . . . , 6;) 
(to = {bYk, where b is an element of b). 

MutKnow(m, m', r, r'; c, c', k) represents a proof of mutual 
knowledge of the plaintexts contained in ciphertexts c 
and c' (c — {m}^ and c' = {m'}^ ). 

ProofMixi(r; ci,C2,k) where f, ci,C2 are tuples of length 
I, represents a proof that C2 is obtained from cipher- 
texts ci by mixing (i.e. applying some permutation) 
and reencryption (r is the collection of random values 
used in reencryption) , i.e. C2[vr(i)] = reenc((?i[i], /c, r[i]), 
for some permutation tt of {1, . . . , Z}. 

B.3 Protocol Description 

The participants. The participants of the protocol are: 
the voters Vq, . . . , v™, the supervisor S, the bulletin board B 
registration tellers Rq, . . . , Rfc, ballot boxes Xg, . . . ,Xfc, and 
tabulation tellers Tg, . . . ,Tfe. We will assume that B, Rq, 
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checksig(sig^{m}, pub(/;;)) 
extractmsg(sig;.{m}) 
dec({a;}^„b(fe),fc) 

reenc{{x}l,k,r') 
reenc(reenc(a;, k, r), k, r') 

{mi}- X {m^}- 
distdec(pi, . . . ,pk) 

distpet(pi,...,pfc) 



Figure 2; Theory E — equational theory for modehng Civitas. 
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Figure 3: Shortcuts for zero-knowledge proofs. In the equations t[i] denotes the i-th element of a tuple t (obtained by 
appropriately applying destructors to t), and Pi denotes the set of all permutation of {1, . . . , Z}. 

Xq, and To are honest. The remaining voting authorities 
may be dishonest. We will also assume that some of voters 
are dishonest and cooperate with the coercer. We assume 
that the channel from the voter's trusted registration teller 
is untappable. 

In what follows, we assume that i ranges over the set 
{0, . . . , to} and j ranges over {0, .... A;}. For a participant 
a, we will write sig^jw} instead of sigp^^,,^^{m} . We will 
also write pub (a) instead of pub(A;a). 

Setup phase. We do not model here the first part of the 
setup phase, where the supervisor posts the ballot design 

(the set of valid votes) , identifies the tellers by posting their 
public keys, and posts the electoral roll (the set of autho- 
rized voters). Instead, we assume that the public keys of 
the voting authorities, the ballot design, and the electoral 
roll are fixed. Below, we describe the remaining steps of 
this phase. 

Tabulation tellers collectively generate a public key for a 
distributed encryption scheme and post it on the bulletin 
board (decryption of messages encrypted under this key 
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: m 

: X 

: reenc(a;, k,r + r') 

{toi X m2}]}^''^ 

™ u J u ir \ first((a;, «)) = a; sec((a;, «)) = V 

TO where Pi = dshare(|m}y, Xi) '^'^ ^ 

with Y = (pub(a;i) x • • • x pub(a;fc)) 

X = X = T T \J X = T 

T whore Pi = petshare({m}y , , Xi) 

with Y = (pub(xi) X • • • X pub(a;fe)) TAT = T xVT = T 



requires the participation of all tabulation tellers): 

(KGenl) T, ^ B : s\gj^{h{y,)} 

(KGen2) Tj — > B : 5\gj.{yj, KnowPriv(a;j; y^)} 

where yi = pub(.7:,;) and Xi is random value, the private 
key share of Tj. After the first step, all the tellers wait 
until all commitments are available. After the second step, 
they check proofs (by "checking a proof p" we mean veri- 
fying that its public components are as required and that 
check(p) = T). Now, (yi x • • • x yk) is the distributed public 
key of Ti, . . . , Tfc. We will refer to this key by Kj. 

Next, each registration teller Rj randomly generates cre- 
dential shares (for each voter v^) and post these shares 
on the bulletin board: 

(Cred) Rj ^ B : sigf^. {i, Sij} (for each i,j) 

where Sij = {sij}^^! ^-^i^ ^ij ^^'^ random. The pub- 
lic credential of Vj is now publicly computable as Si = 
{Siix ■■■X Sik). 



Registration phase. Voters register to acquire tlieir pri- 
vate credentials: 

(Regl) Vi ^ Rj : request 

(Reg2) ^ Vi : Sy , f,j, D,j 

wlrere fjj = (r^ + Wij), for random w^j and Dij = 

DVRP(,5„,my ; ^„ , , Xj, pub(v,)), with = 
(wlrich, up to the equation theory under considera- 
tion, equal to reenc{Sij , Kj,Wij)) and random Sij, is a 
designated- verifier reencryption proof which shows that S'^j 
is a reencryption of The voter verifies this proof. Now, 
his private credential is Si — (s,;o x ■ ■ ■ x Sik)- 

Voting phase. Each voter sends his ballot bi containing 
his vote along with his credential to all ballot boxes: 

(Vote) V, ^ X, : b, - ({s,}^^, {v,}%, , P^) 

where , are random, Vi is the vote chosen by 
v„ P{, = OneOfi{r'-{u,}%,KT,bi, . . . ,bi), and Pk = 

MutKnow{si,Vi,ri,r'i;{siYj^_^,{viYj^_^,KT). The value Vi 
will be called the vote of bf, Si is ballot credential of 6^; 
{^il/fr ^^^^ ^® called t/ie encrypted vote of bi, and {si}J^_^ 
will be called the encrypted credential of bi . Py is a zero- 
knowledge proof which shows that the vote is well-formed 
with respect to the ballot design {vi is one of the valid votes 
zi, . . . , z;), and is a zero knowledge-proof which shows 
that the submitter simultaneously knows Si and Vi . We will 
some times write bi[v' ,s'] for the message like bi but with 
v' and s' instead of Vi and Si. 

Tabulation phase. Before the tabulation phase, each bal- 
lot box posts a commitment to its contents on the bulletin 
board: 

(Comml) X, ^B: sigx^{i,C,} 

where Cj = /i(contents(Xj)). The supervisor then posts his 
own signatures on all these commitments, defining the set 
of votes to be tabulated: 

(Comm2) S ^ B : sigs{j, Q} 

Then, the tabulation tellers collectively tally the elec- 
tion: All tabulation tellers (1) retrieve the ballots from all 
ballot boxes and the public credentials from the bulletin 
board. They also verify that the content of ballot boxes cor- 
responds to the commitments posted in (Comm2). Then, 
they (2) check proofs in retrieved ballots and eliminate any 
ballot with an invalid proof. Note that these steps are per- 
formed by each teller independently, and the resulting set 
of votes, let us denote it by i?, is determined by the publicly 
known information. 

Next, (3) duplicate elimination (according to some fixed 
policy) is performed, by running PET(c, c'), for all en- 
crypted ballot credentials c, c' from distinct ballots in B: 

(PETl) T, ^B: sigT^ {a, (c,c'), Pa, (c,c')} 



where aj(c, c') — petshare(c, c', Xj) and P^^. (c, c') — 
ProofPETShare(a;j; aj(c, c'),yj, c, c'). Now, each teller waits 
until all the tellers post their share and verifies the proofs. 
The result of PET for c, c' is distpet(ao, . . . , ak) (it evalu- 
ates to T if the PET passes) and is publicly computable. 
For each two ballots for which PET holds true, only one is 
kept (according to the mentioned policy). 

Next, (4) mixing ballots is performed on the list of re- 
maining ballots uq- Each tabulation teller in turn applies 
its own random permutation tt^ with reencryption. We as- 
sume that Uj is the input for j-th teller: 

(Mixl) T, ^B: sig-r^.{uj+i, P„J 

where fj is a vector of random values, 
Mj+i[7r^(i)] = reenc{uj[i], Kj,f[i]), and P„^. — 
ProofMix(rj; Uj, Uj+i, Kj). The result of mixing is 
Uk+i- Similarly, mixing credentials is performed on the list 
Wo — (5*0, . . . , Sm) of public credentials. Each tabulation 
teller in turn applies its own random permutation tt^ with 
reencryption. We assume that Wj is the input for j'-th 
teller: 

(Mix2) T, ^B: sig-r^.{wj+i, P„J 

where is a sequence of random values, 

= reenc(it;j[i],ii:T,^[i]), and Pt„^ = 
ProofMix(f^-; Wj, Wj+i, Kj). The result of mixing is 

Wk+l- 

The next step is invalid ballots elimination where bal- 
lots without valid credentials are eliminated. For each bal- 
lot with the encrypted credential c, PET(c, c') is performed 
against every public credential c': 

(PET2) T, ^B: sig^^ {/3j (c, c'), Pft (c, c')} 

where /3j(c, c') = petshare(c, c', x^) and Pp.{c,c') = 
ProofPETShare(a;j; Pj{c,c'),yj,c,c'). Now, each teller 
waits until all the tellers post their share and verifies the 
proofs. The result of PET for c, c' is distpet(/3o, . . . , f3k) and 
is publicly computable. If this test fails for all c', the ballot 
is removed. 

Finally, decrypt step is performed, for each of the remain- 
ing ballots. Decryption is applied to the encrypted vote c 
of each of the remaining ballots (but not to the encrypted 
credentials): 

(Deer) T, ^ B : sig^^. {7, (c), P^^(c)} 

where 7j(c) — dshare(c, x^) and P-yj{c) = 
ProofDShare(a;j; 7j(c), y^, c). Each teller waits until 
the remaining tellers submit their shares and verifies the 
proofs. Now, the decrypted vote is u = distdec(7o, . . . ,jk)- 
At this point the result of the voting process is publicly 
computable. 

B.4 Modelling of the Protocol 

In addition to the participants enumerated in Section IB.B) 
we assume that the coercer c and a key issuer K also par- 
ticipate in the protocol. The role of the key issuer is to 
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generate private and public keys to each participant and, 

to provide these keys on request. 

We assume that vq is the coerced voter. The voters 
vi, . . . , v„, for some n < m, are honest, while Vn+i, ■ ■ ■ jVm 
are dishonest and will not be modelled directly, but, in- 
stead, will be subsumed by the coercer. As we mentioned 
before, we assume that S, B, Rq, Xq, and To are honest. The 
remaining authorities, that is X;, Ri, T^, for i G {1, . . . , A:}, 
are assumed to be dishonest and will be subsumed by the 
coercer. Additionally, to model anonymous channels, we 
introduce agents Co, . . . , Cfc. The role of Cfc is to simply for- 
ward messages to X^ (and so, Xj cannot associate a sender 
to a received message). 

The set Ch of the channels used in the protocol consists 

of: 

- ch[s^a;], for each protocol participants x (including S), 

- ch[K^x] and ch[j,^K]j for each protocol participant x ^ 
K, 

- ch|-B^x] and ch[j,^B], for each protocol participant x ^ 
B, a; ^ Cj, and x ^ Xj, 

- chjc •-►x ] and ch^^^Q j , for each protocol participant x, 

- ch[x^_,B] 

- ch[v,^R^.] and chfR^.^v.j, 



Chr, 



and chr, 



- ch[j„jt_>s] is a channels used to initiate S. 
We will use the following notation: for a set B, we will write 
ch^B^*] for the set of all c G Ch of the form cU^x^y] with 
X G B. Similarly, we will write ch[*^B] for the set of all 
c € Ch of the form ch^x^y] with y G B. 

We assume that E contains, in addition, constants init, 
request, and done and also constants representing the par- 
ticipant names. 

The protocol we take is = {A, in, out, sq, P), where 
A = {v, c, e} and in, out, sq, and P are defined as follows: 
in and out are the functions: 



out{\/) = ch[„o_ 

out{c) = ch[£)_ 
out{e) = ch^H- 



{S,B,Ro,Xo,To,vi,...,v„} is 
the set of honest participants and D = 

{c,Vn+l, . . .,Vm, Rl, • • . , Rfc,Xi, . . . ,Xfe,Ti, . . . ,Tfe} is 

the set of dishonest participants. Additionally, both vo 
and c have an infinite number of private channels (i.e. 
channels that occur only in m(v) n out{y) or m(c) fl out{c), 
respectively). In particular, let Cy be some private channel 
of V. 

The initial sequence sq = (ch[^„it^s] • i"it)- For each 
participant a, we define the set P{a) of programs of this 
participant as follows. 

Key-Issuer. P(K) consists of programs which assign a dis- 
tinct nonce ka (the private key of a) to each participant 
a and, in response to (ch^j-^K] : request), send on channel 



m(v) 


= ch[*_ 


-+"0] 


m(c) 


= ch[,_ 




m(e) 


= ch[*_ 




where H 







chjK^x] the tuple containing the public keys pub(fca) of all 
the participants and, additionally, the private key kx of x. 

Bulletin hoard. The set P(B) contains one program which 
immediately forwards all received messages to all partici- 
pants (except for Xj). 

Ballot box. The set -P(Xo) contains one program which, 
after obtaining the message done from S, posts the commit- 
ment of its content (i.e. the list of the messages received so 
far) on the bulletin board and publishes this content, i.e. 
sends the content to all participants (except for B, Cj, and 
Xj). In addition, this program immediately forwards to the 
coercer each message he receives (this model the fact that 
the coercer is able to intercept messages sent to the ballot 
box, but cannot block them). 

Supervisor. The set P{S) consists of a program which, in 
response to the message init, initiates Tj and Rj by send- 
ing them init message and waits until the setup phase is 
completed (all the necessary commitments and key shares 
are posted). Then it sends init to all voters and message 
done to itself (this models "waiting" for the voting phase 
to end). When this message is delivered, it sends done to 
all the ballot boxes and waits for their commitments. After 
it obtains these commitments, he signs them and posts on 
the bulletin board. 

Registrars. The set f (Ro) consists of programs which, in 
response to the nicissagc; init sent by S, request for keys and, 
after obtaining them, pick a distinct nonces and r^, 
and post sigp. {vj, 5^} to the bulletin board, as defined in 
(Cred), for each i G {0, . . . ,m}. Then, on request sent by 
Vj, it replies with (Reg2). 

Honest voters. The set Pi^i), for i G {!,..., n}, consists 
of (a) programs for each valid vote z, which after re- 
ceiving message init from S, take the keys from K, request 
for credentials (Regl) and, after obtaining them all (Reg2), 
post their ballots 6j (Vote), with Vi = z and fresh nonces 
Tj and r-, to all Cj; (b) programs which register like but 
do not post any ballot (abstain from voting); (c) programs 
^_L, which is defined like ^2, but instead of posting a valid 
ballot, posts a ballot with an invalid credential (some fresh 
nonce); 

Anonymous channel. The set f (Cj) consists of one program 
which forwards to Xj every message it receives. 

Tallier. The set P(To) consists of the following programs: 
a program, after receiving init from S, participates in the 
procedure of public key generation: it picks a nonce Xi (its 
private key) and posts (KGenl) and then, when it sees that 
all the tellers have posted their messages (note that he can 
see it, because the bulletin board forwards all the messages 
to every participant), it post (KGen2), waits for the corre- 
sponding messages of the remaining tellers and checks the 
proofs (it these tests fail, it halts). 
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Then, after it obtains (forwarded by the buUetin board) 
the commitment of S on the contents of all ballot boxes 
(sent in step (Comm2)), it participates in the tabulation 
procedure: it post messages as defined in steps (PETl)- 
(Deer). After each step, it waits for the remaining tellers 
to post their messages and verifies whether these messages 
have an appropriate form and the zero-knowledge proofs 
are correct. If these tests fail, it halts. 

Coerced voter. The set P{\/o) consists of program of the 
form {vreg \\ v) , where v e n(/o,Oo), for Oq — out{\/o) 
and lo = m(vo) \ {ch[s^vo] , ch[K^vo]: ch[R^.^vo]}: and 
the program which after receiving message init from S, take 
the keys from K, request for credentials (Regl) and, after 
obtaining them all, sends all the obtained keys and creden- 
tials on c^. The program Vreg, performing registration, is 
the fixed part of any program of Vq; v represents the be- 
haviour of Vq after registration has been done (e.g. in the 
voting phase). Note that v has access to all the registration 
data, as can read the data sent on Cy. 

Coercer. P{c) is defined as Ti{in{c), out{c)). 
B.5 Proof of Theorem H 

Let us denote Civitas with restricted coercion strategies by 
S. Note that this protocol is not normal, because the set 
V does not contain all programs over in(y), out{\/), and 
thus we cannot use Theorem [TJ Hence, we first show that 
coercion-resistance of this protocols is equivalent to coer- 
cion resistance of some normal protocol S. Let S be defined 
like protocol S with only one difference: the subprocess Vreg 
of any program of the coerced voter will be now run by a 
distinct agent Vq, which will be a part of the environment. 

Let R be the coercion system induced by S, and R be the 
coercion system induced by S. Let p be a run of S, which 
means that p = {{vreg \\ v),c,e,T:), where tt is induced by 
[vreg || || c || e). By p wc denote (w,c, {v^eg \\ e),7r). Note 
that p is a run of S. We extend the operator • to properties 
of 5 in a natural way: /3 = {/5 : p e /?}. It is easy to show 
that the following lemma holds. 

Lemma 5. R is coercion-resistant in a w.r.t. 7^ iff R is 
coercion-resistant in a w.r.t. 72. 

One can show that protocol S is normal and both a and 
7 are now closed under =. Hence, we can use Theorem [T] 
So, it is enough to provide a counter-strategy v' for a strat- 
egy v which simply forwards to the coercer all the messages 
obtained from the remaining participants and forwards to 
these participants all the messages obtained from the co- 
ercer. 

Let v' be the process which after obtaining the registra- 
tion data on Cy post the ballot bo = b[z, sq] and, in the 
same time, behaves like the forwarder v with the follow- 
ing exception. When he obtains the registration data on 
Cy, he changes it before forwarding: he replaces sqo by a 



fresh nonce sqo (a faked credential) and Dqq by Dqq = 
DVRP((5oo, fcvo; '5'oo,'5'oo:-f'^T,pub(vo)) (a faked proof) with 
random Sqq and Sqq — {soqYx't ('"''call that pub(vo) stands 
for pub(fcv(,)). We will show that v' is a counter-strategy 
for V. 

First, we show that condition (iii) of Definition [2] 
holds for v' . Let p be a run of the system induced by v' , 
i.e. p is induced by {v' \\ c \\ e), for some c E C,e E E. If 
p is not fair, then there is nothing to prove. So, suppose 
that p is fair. First, note that, by the fairness assumption, 
all i?o, • ■ ■ , -Rfc post all messages and zero- knowledge proofs 
as required. Since Vreg does not send out his private key, 
the DVRP-s he gets cannot be faked, and thus the private 
credential he obtains is valid. Second, v' obtains his regis- 
tration data before the voting phase ends0. 

Since v' posts then a valid ballot bo right away (still before 
the voting phase ends), by the fairness assumption, this 
ballot is posted successfully and so 60 is in the initial pool 
of votes to be tabulated. 

Now, it is easy to show that 60 will be successfully pro- 
cessed by tabulation tellers, using the fact that v' never 
reveals his private credential (so it is not used in any other 
ballot) and the assumption that the run is fair (and so all 
the tabulation tellers have to correctly perform all the ex- 
pected step, because otherwise they would not be able to 
construct valid zero-knowledge proofs). 

Now, we will show that condition (i) of Defini- 
tion [2] holds for V and v' . So, let p G a be a run induced 
by (u II c II e), for some c G C and e E E. 

Since p is in a, there is some honest voter, say Vi, who 
successfully posts a ballot bi[z,si] (that is a ballot with 
vote z), some honest voter, say V2, who obtains his creden- 
tial and successfully posts a ballot 62 [-Z2, ^2] with an invalid 
credential (a fresh nonce Sj), and some honest voter, say 
V3, who posts his ballot 63 after vq finishes registration. 

We take e' E E which is like e with the following excep- 
tions: (a) V3 abstains from voting, (b) if V3 in p posted his 
ballot successfully, then Vi votes like V3 voted in p; and (c) 
moreover, if at least one proper ballot with sq is in p suc- 
cessfully posted and Zc is the vote in the ballot with sq that 
is kept after duplicate elimination (note that Zc must be a 
valid vote), then V2 posts a valid ballot with Zc instead of 
the invalid one. Also, instead of using permutations ttq and 
ttq in steps (Mixl) and (Mix2), Tq uses slightly different 
permutations (see Sect. IB.6|) . 

The run p' of (z;' || c || e') is constructed from p in the 
following way. The messages in p' are delivered in the same 
order like the corresponding messages in p with the fol- 
lowing exceptions: first, the message sent by Vreg on Cy is 
delivered immediately and, second, the ballot sent by Vq in 
p' is delivered at the same step, when the ballot sent by V3 
is delivered in p (because Vq sends his ballot, just when he 
gets the registration data on Cy , and V3 posts his ballot after 

^By the expression "vq obtains his credentials", used in the defi- 
nition of a fair run w.r.t. vq, we mean formally that this credential is 
delivered to v' . 
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it, the ballot of Vq is ready to be delivered at the mentioned 
step). 

Now, one can show that p ^ p' . The rough idea is as 
follows: V2 is used to hide the fact that valid ballots possibly 
posted by the coercer in p become invalid in p', V3 is used to 
hide the fact that Vq posts his ballot in p', but abstains from 
voting in p, and finally Vi is used to balance the outcome of 
the voting. Due to the fact that the coercer cannot tell any 
difference between an original DVRP and a faked one and 
the fact that the messages posted on the bulletin board are 
mixed and reencrypted before decryption, the frames are 
indistinguishable to the coercer. 

Details of the proof depend on (a) whether or not the 
coercer successfully posts at least one valid ballot with sq 
and (b) whether or not V3 posts his ballot successfully. In 
next subsection, we present a detailed proof for one of these 
cases: when the coercer successfully posts one proper ballot 
with So, and V3 also posts his ballot successfully. 

Now, we will show that condition (ii) of Defini- 
tion [2] holds for v and v' . So, let p G a be a run induced 
by {v' II c II e), for some c G C and e £ E. We define the 
vote Zc as follows: if the coercer, in p, successfully posts 
at least one ballot with sq (where sq is computed like sq, 
but using soo instead of sqo), then let Zc be the vote in the 
ballot containing sq which is left after duplicate elimination 
phase; otherwise let Zc by any vote. Note that, since a valid 
ballot has to contain a proof that a vote in it is valid, Zc 
must be a valid vote. 

Since p is in a, there is some honest voter, say Vi, who 
obtains his credential, before Wreg finishes registration, but 
abstains from voting, and some honest voter, say V2, who 
successfully votes for Zc. 

We take e' € E which is as e with the following excep- 
tions: vi votes for z and, moreover, if at least one ballot 
with So is, in p, successfully posted, then V2 posts 6[zc, S2], 
for some unused nonce S2, instead of &[zc, S2]. We also need 
to slightly change the permutations used by To in (Mixl) 
and (Mix2). 

The run p' of [v \\ c \\ e') is constructed from p in the 
following way. The messages in p' are delivered in the same 
order like the corresponding messages in p with the follow- 
ing exceptions: The ballot sent by Vi is delivered in the 
same step, when the ballot sent by Vq was delivered in p (it 
is possible because this ballot is posted before Vreg finishes 
registration) . 

Now, one can show that p p' . The rough idea is as 
follows: V2 is used to hide the fact that the ballots involv- 
ing the credential given by the coerced voter and possibly 
posted by the coercer are invalid in p but valid in p'; Vi 
is used to hide the fact that Vo posts his ballot in p, but 
not in p'. Moreover, due to the fact that the coercer can- 
not distinguish an original DVRP and the faked one, and 
the fact that the messages posted on the bulletin board are 
mixed and reencrypted, the frames are indistinguishable to 
the coercer. 



B.6 Detailed Case Analysis 

In this subsection we give a detailed proof that the runs p 
and p', as constructed in the proof for condition (i) above, 
are indistinguishable to the coercer in the case the coercer, 
in p, successfully posts exactly one proper ballot hc[zc,SQ\, 
and V3 also successfully posts his ballot 63 [23, S3]. 

Formally, we have to show the following. The run p is 
of the form (-0,6, e, tt), where w ~ w, c ~ c, e ~ e, and 
TT is a run induced by (w || c || e). Similarly, p' is of the 
form (w', c, e', tt'), where -0' ~ w', e' ~ e', and tt' is a run 
induced by ({>' || c || e'). By the definition of ^, we need 
to prove that tt =c tt', which mens that tt tt'. Since, 
Ic C m(c) it is enough to show that tt =f where N = Nc 
and / — in{c). This, by the definition of is equivalent 
to the following statement, where ip — n^j and ip' = tt'^j: (i) 
chan((/?) = chan((/j') and (ii) for each ti,T2 G Tjv, we have 

that Ti[ip] = T2[(p] iff Ti [</?'] = T2[(p']. 

The proof goes as follows. First we describe (p and (/?' 
(which contain exactly those messages that are seen by the 
coercer) and show that condition (i) holds. Then we will 
show that condition (ii) holds as well. 

Let us first informally point out the differences in view 
of the coercer on p and p'. These views are very similar, in 
particular, the lists of votes published by the tallying tellers 
in both cases are exactly the same. The main differences 
are summarized in the table below, where so denotes Soo x 
soi X • • • X sofc (i.e. the faked private credential of Vo). 





P 


P 


the (faked) credential sent to c 


so 


so 


the ballot posted by c 


bc[Zc, So] 


bc[Zc, So] 


the ballot posted by V3 / vo 


ba [z3,ss] 


bo[z, So] 


the ballot posted by vi 


bi[z, si] 


bl[z3, Sl] 


the ballot posted by V2 


62 [22,82] 


b2[Zc, S2] 



The messages placed in the same raw of the table are seen 
by the coercer, in p and p', respectively, at the same channel 
and the same step. 

We need also to specify the mentioned permutations ttq 
and ttq, used by Tq in p, instead of ttq and ttq, to mix votes 
and credentials. So, ttq is like ttq, but places the reencryp- 
tions of b2[zc,S2], 6i[z3,si], bo[z,so], bc[zc,so] in the place 
where ttq places the reencryptions of bc[zc,so], 63[z3,S3], 
bi[z, Sl], and b2[z2j Sj], respectively. The permutation 7fg is 
like 7rg, but places the permutations of 6*2, 5*1, 5*0 , S3 in the 
place where 7rg places the reencryptions of ^o, S3, Si, S2, 
respectively, where Si are reencryptions public credentials 
produced in step (Mix2). 

Detailed description of tp and ip' , which is the sequence of 
messages received by the coercer in p and p', respectively, 
is given in Fig. [H Only messages which are not produced 
by the coercer (i.e. neither constructed nor randomly gener- 
ated by him, like for instance messages posted by him on the 
bulletin board and forwarded to him back) are presented, 
as the messages produced by him are not essential to the 
proof (instead of using them in t^, one can use the corre- 
sponding terms that were used to construct them). Also, we 
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Messages in frame <^ Messages in frame ^p' 



(1) (KGenl) h{v^) h{yo) 

(2) (KGen2) yo, KnowPriv(a;o; yo) yo, KnowPriv(a;o; yo) 

(3) (Cred) i, Sio i, Sio (for i e {0..m}) 

(4) (Rcg2) Sio , fio , Dio Sio , fio , Dio (for i € {n + 1 , . . . , m}) 

(5) (Reg2) soo , foo , Doo soo , foo , -Doo 

(6) (Vote) ^^S^Hz-,,Ss],hlz,s,],b,lz„si] bolz, So], h[zs, s,], b,lz^, s,] ^ ^ (for i e {4..n}) 

(7) (Comm) Sigx. {j, Cj}, sigsO', Cj} Sigx. {j, Q}, Sigs{i, Cj} (for j G {0, . . . , fe}) 

(8) (PETl) ao{c,c'), Pao{c,c') (for c c' in Be) ao(c, c'), Pao(c, c') (for c c' in Be) 

6c[ac, So], 63[Z3, S3], 62[2c,S2], 61(23, Si], 

(9) (Mixl) C={ bi[z,si],b2[z2,si] &o[«,So], 6c[^;e,So], }=C (for i = 4..m) 

Pug Pug 

(10) (Mix2) S = <j 'S'o,^3,Si,52 S2, Si, So, S3 , g (fori = 4...m) 



Si 



P P 



(11) (PET2) /3o(c,c'), P/3o(c,c') /3o(c,c'), P/3o(c,c') 

(for c e Ce and c' G S) (for c G C and c' € S) 

(12) (Deer) 70(c), P^o (c) (for c G C„) 70(c), P^(,(c) (for c G d„) 



Figure 4: Messages in (p and (p' . Be denotes the sequence of encrypted ballot credentials in B. Cc (Ce) denotes the sequence 
of encrypted ballot credentials in C (C), and (C^) is the sequence of encrypted votes in C (C). By b[x,y] and Sj we 
denote reencryptions of 6[a;,2/] and Si made by To. Puq (Puo) ^^'^ P-^o {Pu>o) ^^^e the zero-knowledge proofs posted by To in the 
mixing ballots and mixing credentials phase, respectively. Messages that occur in (p and ip' at the same positions, are placed at 
corresponding positions in the table (for example S3 and Si). 



omit signatures on messages which are posted on the bul- 
letin board. Wc only mention here, that the corresponding 
messages from left and right column, if signed, are signed 
by the some party (for instance, both messages in (1) are 
signed by To). Wc also omit the keys the cocrccr might 
have obtained form K (these are the public keys of all the 
participants and the private keys of the dishonest ones). 

Messages (1) and (2) are posted by Tq in steps (KGenl) 
and (KGcn2). Messages (3) arc posted by Rq in step (Cred). 
(4) comprises messages sent by Rq in step (Reg2) to dishon- 
est voters who have requested for credentials. Note that up 
to this point messages in both ip and ip' are exactly the 
same. (5) contains the messages sent by Rq to Vq in step 
(Reg2) and forwarded to the coercer (in ^p) or a faked ver- 
sion of these messages (in p'). (6) comprises votes posted 
by voters on ballot boxes. Messages (7) are the commit- 
ments on the content of ballot boxes signed by these boxes 
and by the supervisor and posted on the bulletin board in 
steps (Comml) and (Comm2). (8) are PET shares and 
proofs posted by Tq in the duplicate elimination phase of 



tabulation. (9) and (10) are the results of mixing with reen- 
cryption of ballots posted by Tq in the mixing ballot phase 
and the mixing credential phase, respectively, along with 
the appropriate proofs. By b[x, y\ and Si we denote reen- 
cryptions of b[x,y] and Si made by Tq. (11) contains the 
PET shares and proofs posted by Tq in the invalid ballots 
elimination phase. Finally, (12) are the distributed decryp- 
tion shares and corresponding zero-knowledge proofs posted 
by To in (Deer). 

One can check that condition (i) holds (i.e. that the 
chan(99) = chan(99')). Hence, to complete the proof, it is 
enough to prove that the condition (ii) also holds, which is 
stated by the lemma bellow. 

Lemma 6. For each ti,T2 £ T^, we have that ti [ip] = T2[v?] 

The remainder of this section is devoted to sketch the 
proof of this lemma. 

A destructor is any of the following symbols: first, second, 
unsig, checksig, dec, distdec, distpet, public, and check. The 
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remaining symbols of S are constructors. We will consider 
equations associated with destructors as rewriting rules, 
read from left to right (note that there is exactly one rule 
associated with each destructor). Moreover, the equations 
associated with reenc(-, •, •) will be also considered as rewrit- 
ing rules. A term is said to be reduced, if all the mentioned 
above equations, regarded as rewriting rules, are applied. 

We will call ip and if' frames. We will sometimes write 
ip{xi) instead of Xi[ip\ (for the i-the element oiip). A frame is 
closed under applying destructors, if whenever a term of the 
form g{xi,ti, . . . , tn)[v]j with some destructor g, reduces at 
the top (i.e. a reduction can be applied at the top level of 
the term), the result of total reduction of this term is also 
an element of the frame. We stress that such a result is a 
reduced term. 

Now, we define ipo as a closure under applying destruc- 
tors of if and if I as the corresponding closure of ip' , where 
"corresponding" means that the results obtained by apply- 
ing the same terms (of the form g(xi,ti, . . . ,t„)) to both 
frames are, in both frames, at the same position. We will 
show that, for each ti,T2 € Tjsf, we have that ri [ipo] = T2 [ipo] 
iff Ti[(y5i] = T2[</?i], which immediately implies Lemma [H 

A test is an expression of the form ri = T2. We will say 
that a test ri = T2 holds in a frame ip, if Ti[ip] = T2 A 
test is basic, if it is either of the form (a) Xi = r, where r is 
a term with no destructor in the head, (b) Xi = Xj, or (c) 
Xj = g[xi,Ti, . . . ,Tn), where g is destructor and ti, . . . , t„ 
are some terms. 

We define the size of a term in the usual way, but in case 
of terms representing zero-knowledge proofs {ZK^^^{t)), the 
size of the formula ip is taken into account too. 

The following lemma says that the frames ipo and ipi are 
indistinguishable w.r.t. basic tests. 

Lemma 7. For a basic test ti = T2, the following is true: 

Tl[<y5o] = T-2['^o] iffTl[ipi] = T2[ipi]. 

Sketch of Proof, (a) First, let us consider the case where the 
test is of the form x — t, where x is one of xi, X2, . . . and r 
has no destructor in its head. We consider all x case by case. 
For instance, let ifo{x) = {2:3}^^ and ipi{x) = {-^Ixt (these 
messages come from 63[2:3,S3] and &o[-2)So] posted by the 
voters on the bulletin boxes). Suppose that x — t holds in 
ipQ. T cannot have a constructor in its head, because, there 
is no r' such that T'[ipo] = r'^ is never revealed). So, 
r has to be a variable. However, no other variable gives a 
term equivalent to ipi{x). Hence, t must be x and the test 
under consideration also holds in ipi-i. 

(b) If a test is of the form Xi — xj, one can easily see, 
considering again case by case, that it holds in ipi iff it holds 
in ip2. 

(c) If a test is of the form Xj — g{xi,Ti, . . . ,Tn), where g 
a is destructor and ri, . . . ,r„ are some terms, one should, 
again, consider all possible Xj case by case. For instance, if 
g = distdec (i.e. a distributed decryption is applied), then 
Xi must by a distributed decryption share provided by Tq 
(Note that the destructor must reduce, because terms in 



ipi are reduced and the test holds in one of ipi). Hence, 
this decryption is applied to one of the encrypted ballots 
from the list C of reencrypted and shuffled ballots, and 
the resulting votes are the same in both frames, and so the 
test does not distinguishes them. □ 

Lemma 8. Let tq — ti be a minimal test distinguishing 
ipo and ipi . Then no destructor can be reduced in Tj [ipi] 

(hJ e {0,1} j. 

Sketch of Proof. For the sake of contradiction, let us sup- 
pose that some destructor can be reduced in Tj[ipi]. Let us 
consider a minimal subterm r of Tj , with a destructor in its 
head, that can be reduced. Thus, its direct subterms are 
either variables of irreducible terms. If the left-most direct 
subterm of r is a variable, then — because ipi is closed un- 
der applying destructors — there is a variable Xk such that 
Xk = Tj holds in ipi . Now, by Lemma [3 Xfe = Tj also holds 
in ipi-i. Hence the considered test is equivalent (in both 
frames) to ti_j = Xk, and thus it is not minimal. 

If the left-most direct subterm of t, let us denote it by t', 
is not a variable, then one can show that there is a subterm 
t" of r' such that t[(^o] = ''""['y'o] and t[(^i] ~ T"[ipi], which 
is impossible, because r* = Ti_j, where r* is obtained from 
Tj by replacing t by t" , would be a smaller test distinguish- 
ing the frames. (We use here the observation that, in this 
case, a destructor can be applied only if some equations of 
some subterms of r' hold in a frame, and because the con- 
sidered test is assumed to be minimal, these equations must 
hold in both frames at the same time. So, in both frames 
the reduction can be applied. Moreover, in case, when the 
destructor in the head of Tj is distdec or distpet, we use 
some particular properties of the frames under considera- 
tion and the fact that the arguments of these destructors 
can be freely rearranged.) □ 

Finally, we prove the following fact which completes the 
proof of Lemma [6] 

Lemma 9. For each ti,T2 6 Tjv, we have that ti[</ji] = 

T2[(Pl] iffTi[ip2] = T2[lfi2] 

Sketch of Proof. For sake of contradiction, suppose that 
Tq = Ti is a test which distinguishes these frames, i.e. it 
holds in ipi and does not hold in ipi-i, for some i G {0, 1}. 
We can assume that this test is minimal (w.r.t. the size of 
terms). 

Assume that some of tj, say rg, is a variable. Then ti 
has to have a destructor in its head (because, otherwise, by 
Lemma [3 the test would not distinguish the frames). But, 
by Lemma m such a destructor cannot be reduced, so the 
test does not hold in neither of ipi (since both frames are 
reduced and contain no destructors). 

Now, assume that none of Tj is a variable. If we suppose 
that none of Tgipi, Tiipi reduces at the top, then one can 
construct a smaller test that distinguishes the frames, which 
contradicts the assumption about minimality of the test. 
Hence, it is enough to consider the case when some Tj, say 
To reduces at the top position in ipi. 
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By Lemma [51 we only need to consider three cases, de- 
pending of whether the top symbol of tq is (a) reenc, (b) 
+, or (c) X. In each case, one obtains a contradiction. For 
instance, let us consider the case (a). So, Totpi is of the form 
reenc{reenc{m, k,r), k,r') or reenc({m})I, /c, r'). However, 
since tq is assumed to be reduced, tq has to be of the form 
reer\c{xi,k,r'), for some variable xj. Now, since the frames 
are reduced, (pi{xi) cannot be of the form reenc(TO, k, r), so 
it must be of the form {m}^,. Hence, TQipi is of the form 
reenc{{m}l., k, r') and it reduces to ■ Note that 

there is no term a such that a[(pi] = r, as r is never revealed. 
It implies that ti has to be of the form reenc(a;i' , fc, r') 
with ipi{xii) = {m}l. (there is no other way of obtaining 
). So, xi = xi' holds in ipi and, by Lemma [71 also 
holds in (pi-i. It, however, means that the test tq = ti 
holds in (pi-i^ which contradicts the assumption that it dis- 
tinguishes the frames. □ 

C Lee et al. Protocol 

In this section we describe the protocol [28] in more details 
and sketch the proof of coercion-resistance of this protocol. 
We can model cryptographic primitives used in this proto- 
col, like in case of Civitas (see Fig. [2]), with some small 
modifications toward the threshold decryption scheme. 

C.l Description of the Protocol 

The set of agents we take is A — {vq, . . . , v„, S, t-q, . . . , r„, 
c, B,Ti, . . . ,Tfc, Ml, . . . , Mfc}, where Vq, . . . , v„ are voters, S 
is the supervisor, rp, . . . , r„ are tamper-resistant randomis- 
ers, B is the bulletin board, Ti, . . . , are the tallying au- 
thorities. Ml, . . . , Mfc are mixers, and c is the coercer. We 
assume that the coerced voter is Vq. 

All the messages posted on B are publicly available. The 
communication channel between a voter and his tamper- 
resistant randomiser is assumed to be untappable (i.e. it 
cannot be observed by the coercer). The remaining chan- 
nels are public (can be observed by the coercer). 

In the setup phase the tallying tellers Ti, . . . , generate 
and publish his common public key Kj for the threshold 
decryption. Then, from the point of view of a voter v^, the 
protocol execution consists of three steps: 

(PI) V, ^ n : nii 

(P2) V, : sigfc^Jm^}, 

DVRP(A; m„m^, ifT,pub(vo)) 
(P3) V, ^B: sigp^b(fc^ ){sigfc^ {to^}} 

where rm — — reenc{mi , Kj , Pi) , and Vi denotes 

the vote chosen by v^, is a random value generated by 
this voter, and Pi is a random value generated by r^. 

In the second phase of the protocol, the following steps 
are performed: (1) S verifies the double signatures of vot- 
ers and their randomisers on the posted ballots, and pub- 
lishes valid ballots on the bulletin board. (2) The, mixers 



Ml, . . . , Mfe, in turn, shuffle and reencrypt these ballots, and 
post the result on the bulletin board. (3) Talliers jointly de- 
crypt shuffled ballots using the {t, fc)-threshold ElGammal 
decryption protocol, and finally, (4) S publishes the tally 
result. 

We assume that the correctness of all these steps 
is assured by posting appropriate non-interactive zero- 
knowledge proofs. This guarantees that only decryptions al- 
lowed by the protocol are performed, provided only a small 
fraction of the entities is dishonest. 

C . 2 Proof of Theorem [H 

Recall that we want to prove coercion-resistance for the ex- 
tended version of the protocol. The extension described in 
Section [6l can be formalised as follows. The voter, instead 
of step (PI), performs the following step. 

(Pla) T ^ B : fUi, Pi 

where Pi is is a zero-knowledge proof which shows that the 
vote is well-formed with respect to the ballot design, i.e. 
Vi is one of the valid votes (one can do it like in Civitas). 
Then, r^, before replying with (P2), checks this proof. 

First, one can show that the protocol is normal and both 
a and 7 are closed under =. Hence, we can use Theorem [1] 
So, it is enough to provide a counter-strategy v' for a strat- 
egy V which simply forwards to the coercer all the messages 
obtained from the remaining participants and forwards to 
these participants all the messages obtained from the co- 
ercer. 

Let z be a choice of Vq. Let v' be the process which 
behaves like the forwarder v with the following exception. 
When he is instructed to send a message {uicPc), then, 
instead, he sends (mo,i-b) as in specified in (Pla), and, 
instead of forwarding the answer of rg to the coercer, he 
sends him m'^ signed by tq along with a faked DVRP for 
TOc and jtlq. We will show that v' is a counter-strategy for 

V. 

First, we show that condition (iii) of Definition [2] 
holds for v' . Let p be a run of the system induced by v\ 
i.e. p is induced by {v' \\ c \\ e), for some c C,e € E. If 
no message of the form m* , as defined above, is posted on 
bulletin board and tallied, then there is nothing to prove. 
So, suppose that some sig^,^{sig^^{m}} is posted and tal- 
lied. The only message signed by tq in p is mg, which 
is a reencryption of the ballot containing the vote z, so 
m = mg. Hence, as the tabulation phase has to be done 
correctly (because otherwise the authorities would not be 
able to construct valid zero- knowledge proofs), this vote is 
published. 

Now, we will show that condition (i) of Defini- 
tion [2] holds for V and v' . So, let p G a be a run induced 
by {v II c II e), for some c G C and e E E. Since p is in a, 
there is some honest voter, say Vi, who successfully votes 
for z. 
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As it is only f(a), not a itself, what is used to com- 

checksig(sigj,{m}, pub(fc)) = T pute this expression, the commitment can be checked (re- 

, ,. . ,. ^ - ■ r 1 Computed) using v, r, and f{a). However, the voter, 

unbl,nd(s,g,(blmd(m,i,pub(/c))),i) =s,g,{m} ^^^^ ^^^^^ ^^^^ ^^^^ ^, ^ ^^^^^ ^ ^^^^^ 

BC(i;', f'(a, f(a)) = BC('u,r, f(a)j = f'(a, w, r, t>') which gives the same commitment value, 

i.e. BC(w,r, f(a)) = BC(w',r', f(a)). 

splitVerif(f(sum(xi, . . . ,a;„)), f(xi), . . . , f(a;„)) = T 



Figure 5: Equational Theory for Okamoto Protocol. 

We take e' £ i? which is as e with the following excep- 
tions: if, in p, a message of the form s\g^^{s\g^^{m}} is 
posted on the bulletin board, where m is a ballot with some 
vote Zc (note that has to be a valid vote), then Vi, in e', 
votes for Zc instead of z. 

The run p' of (w' || c || e') is constructed from p in a natu- 
ral way: the messages in p' are delivered in the same order 
like the corresponding messages in p. One can show that 
p ^ p' . The rough idea is as follows: vi is used to balance 
the outcome of the election. Due to the fact that the coercer 
cannot tell any difference between an original DVRP and a 
faked one, and the fact that the messages posted on the bul- 
letin board are mixed and reencrypted before decryption, 
the runs are indistinguishable to the coercer. 

Now, we will show that condition (i) of Defini- 
tion [2] holds for v and v' . So, let p g a be a run induced 
by [v' II c II e), for some c e C and e € E. We define the 
vote of Zc'. if the coercer voter, in p, is instructed to use his 
randomiser to reencrypt some ballot rric with a valid proof 
that rric contains a valid vote v, then Zc is w; otherwise let 
Zc by any vote. Since p is in a, there is some honest voter, 
say Vi, who successfully votes for Zc- 

We take e' € E which is as e with the following excep- 
tions: if, in p, a message of the form s\g^^_^{s\g^^{m}} is post 
on the bulletin board (note that m must be nic as defined 
above) then vi, in e', votes for z instead of z^. 

The run p' of {v' \\ c \\ e') is constructed from p, again, in 
a natural way: the messages in p' are delivered in the same 
order like the corresponding messages in p. One can show 
that p ^ p' , for the same reasons as previously. 

D Okamoto Protocol 

In this section we describe the protocol [33] and discuss its 
properties. 

D.l Cryptographic Primitives 

In addition to the common cryptographic properties (which 
can be modelled like in Figure [2]), the protocol makes use of 
blind signatures and trapdoor commitment. The equational 
theory associated with these primitives is given in Fig. [5l 

These primitives are used in the following way. For a 
chosen vote v and random values r and a, a voter can com- 
pute trapdoor-commitment for -y, denoted by BC(t', r, f (a)). 



D.2 Description of the Protocol 

The set of agents is {vq, . . . , v„. A, B,T, Ri, . . . , Rjv}, where 
Vo,...,v„ are voters, A is an administrator, B is a bul- 
letin board, T is a timeliness commission member, and 
Ri, . . . , Rjv are PRC members. 

Channels between Vi and A are network channels (the 
Internet). Messages posted on the bulletin board are sent 
trough an anonymous channel. The voter Vi send messages 
to T and Rj using untappable, anonymous channel. 

From the point of view of , the protocol execution con- 
sists of the following steps: First, Vi randomly generates 
. . . , af and computes = s\im{a\, . . . , af). Then he 
computes Gi = f(ai) and G\ = f(Q;^). Next, he randomly 
chooses ri and ti. Let 



■nii = BC(vi, ri, d), 

Xi = blind(m-, ii, pub(A)), 
Zi = sig„.{a;i} 

Now, the following messages are exchanged: 

(PI) V, ^A: {xi,Zi,Vi}pub(A) 
(P2) A ^ V, : y,^ sig^(a;,) 

As we mentioned, the communication channel between Vi 
and A is a public channel. Before executing (P2), A checks 
the signature Zi on Xi and verifies that has the right to 
vote and he has not applied yet. After step (P2) is per- 
formed, Vi takes Si = unblind(yi, t^) (which is equivalent to 
sig^{m^}). The successive steps are: 



(P3) V, ^ B 
(P4) V, 
(P5) V, ^ R, 



{vi,ri,mi) 



(P6) R,^B: uH(f(a^),G,), sigR^K) 

In the counting stage, T, using messages from the bul- 
letin board, checks whether the message obtained from 
in step (P4) is a valid ballot, as is explained below. Then 
T publishes valid votes in random order. 

To check whether to accept a message (P4), T does 
the following: He looks for the matching message (m-,Si) 
published on the bulletin board (m[ has to contain rui 
as the first component) and verifies that Si — sig^lm-}. 
Then he verifies that for Gi taken from m[ it is true 
that rui is in fact equal to BC(6i, r;, Gi). He also checks 
whether, for all G^ taken from m^, the corresponding mes- 
sage {Gl,Gi) was published on the bulletin board by Rj 
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and that splitVerif(G'i, G^, . . . , Gf ) = T. If all these tests 
pass, the vote is accepted. T also provides a zero-knowledge 
proof that he has honestly published valid votes. 

In [33], it is mentioned that the above voting scheme is 
not coercion-resistant, if one of the PRC's is not honest (co- 
operates with the coercer). So, a more complicated variant 
of the voting scheme (Scheme B) is also proposed. In this 
variant, the relation between ai and A = {aj, ...,af^} is 
that it is enough to know some number K < N oi elements 
in A to be able to compute (as opposed to the variant 
presented above, where all N elements of A are necessary 
to compute ai). 

D.3 Properties of the Protocol 

In short, the Okamoto protocol does not provide coercion 
resistance even under strong assumptions. However, the 
protocol is interesting in that it highlights the difference 
between single-voter coercion and multi-voter coercion, in 
absence of dishonest voters. 

In [33], the proof of coercion-resistance is based on the 
observation that the only way to make a ballot accepted is 
to send valid to all Rj. So because the channels between 
the voter and PRC's are untappable, it can be only the 
voter who sends these values and, in consequence, he has 
to know them. Thus, he is able to compute and make 
up a value r' which enables him to vote for the vote of 
his choice. This reasoning misses, however, the fact that 
different can be sent by different voters or even by the 
coercer, if he is also a voter. 

If we assume that the coercer is an entitled voter or there 
is some dishonest voter, the protocol is clearly not coercion- 
resistance: The coercer prepares a ballot, ask the coerced 
voter to obtain a blind signature on this ballot and then 
completes the process by himself, using the anonymous un- 
tappable channels he has access to. 

Event if we assume that the coercer is not an entitled 
voter and there is no dishonest voter, then still the proto- 
col is not coercion-resistant, provided that more than one 
voter is coerced at the same time. In this case the coercion 



strategy is as follows. All the coerced voters are supposed to 
obtain a blind signature of the appropriate voting authority 
on messages provided by the coercer. Then, the coercer dis- 
tributes the private credential shares to the voters in such 
a way that no coerced voter has a complete collection of 
private credential shares, i.e., the shares for one vote are 
distributed among different coerced voters. As a result, no 
coerced voter can open his/her commitment in an arbitrary 
way. This suffices for the ballots of the coercer to be ac- 
cepted. To the best of our knowledge, this attack has not 
been observed before. A more detailed description of this 
attack follows. 

Suppose that there are N voters that are coerced (recall 
that N is the number of PRC's; we chose this number for 
simplicity of the proof). The coercion strategy is as follows. 
All the coerced voters are supposed to obtain a signature 
on messages provided by the coercer. The i-th. message is 
build, as in the protocol description, using a],. . . , af . 
Each Vi is then supposed to send Xi, like in the protocol 
description, for Vi chosen by the coercer. Furthermore, Vj 
is supposed, for each j G {!,..., A^}, to forward to Rj, 
where a = {i + j) mod N. These shares are the only ones 
that the voter learns. So, he is not able to compute any of 
ai (it is also true in scheme B), because he knows only one 
private share for each ai. Thus, the only valid vote Vj can 
send to T is Vi, as demanded by the coercer. Because T 
provides a zero-knowledge proof that the submitted votes 
are accounted for, the coercer can verify, that this vote has 
been really posted by the voter. 

While the above attack allows the coercer to vote as he 
wishes, an abstention attack is possible even if only one 
voter is coerced, the coercer is not entitled to vote and 
there are not dishonest voters. 

The only setting in which we could prove coercion re- 
sistance of the Okamoto protocol is in the setting just de- 
scribed where a is defined similarly to the Lee et al. protocol 
and the goal 7 is merely that if the coerccid voter posts mes- 
sage (P3) on the bulletin board, then his/her successfully 
votes for the candidate of his/her choice. 

Note that for this result to hold it is essential that only 
one voter is coerced. 
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